Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CEFA-FAS_LicMgr.exe

Overview

General Information

Sample name:CEFA-FAS_LicMgr.exe
Analysis ID:1583910
MD5:2210b6af1d0e46c80f4befbe4bdbf137
SHA1:76ad9f496ed9501c5ddc1a350c843e52d9e708b7
SHA256:f4a51197a7cc6b5251530f66c1d9792333bfe0db34e1acb78c3848f55fad0725
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:34
Range:0 - 100

Signatures

Detected unpacking (changes PE section rights)
.NET source code contains potential unpacker
AI detected suspicious sample
Contain functionality to detect virtual machines
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to debug other processes
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w11x64_office
  • CEFA-FAS_LicMgr.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe" MD5: 2210B6AF1D0E46C80F4BEFBE4BDBF137)
    • CEFA-FAS_LicThsUtils.exe (PID: 3004 cmdline: "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -currentkey MD5: FD01EB714D43DB949B2B0C45EC211833)
      • conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • CEFA-FAS_LicThsUtils.exe (PID: 1348 cmdline: "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -macid MD5: FD01EB714D43DB949B2B0C45EC211833)
      • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • CEFA-FAS_LicThsUtils.exe (PID: 2412 cmdline: "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expireddate MD5: FD01EB714D43DB949B2B0C45EC211833)
      • conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • CEFA-FAS_LicThsUtils.exe (PID: 6268 cmdline: "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expired MD5: FD01EB714D43DB949B2B0C45EC211833)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • CEFA-FAS_LicThsUtils.exe (PID: 444 cmdline: "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -licinfo MD5: FD01EB714D43DB949B2B0C45EC211833)
      • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
CEFA-FAS_LicMgr.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1375964616.0000000000C52000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: CEFA-FAS_LicMgr.exe PID: 6344JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.CEFA-FAS_LicMgr.exe.c50000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-03T21:10:29.098670+010028032742Potentially Bad Traffic192.168.2.2561953128.65.195.89443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F0330 EncryptData,0_2_110F0330
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F09B0 EncryptDataAES,0_2_110F09B0
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F05C0 DecryptData,0_2_110F05C0
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeEXE: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeJump to behavior

            Compliance

            barindex
            EXE planting / hijacking vulnerabilities found
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeEXE: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeJump to behavior
            Uses 32bit PE files
            Source: CEFA-FAS_LicMgr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Creates a software uninstall entry
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\5pgytxrewcrvrgzw2fea6yh2w86q7d9vJump to behavior
            PE / OLE file has a valid certificate
            Source: CEFA-FAS_LicMgr.exeStatic PE information: certificate valid
            Uses secure TLS version for HTTPS connections
            Source: unknownHTTPS traffic detected: 128.65.195.89:443 -> 192.168.2.25:61950 version: TLS 1.2
            Contains modern PE file flags such as dynamic base (ASLR) or NX
            Source: CEFA-FAS_LicMgr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Binary contains paths to debug symbols
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256 source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/src/MahApps.Metro/obj/Release/net47/MahApps.Metro.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.00000000065F8000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\Temp\CEFA\LicManager\LicThsUtilsCApp.pdb'' source: CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1404137930.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406793875.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1406957699.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1410075940.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1413792601.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1419640922.0000000000203000.00000040.00000001.01000000.0000000E.sdmp
            Source: Binary string: C:\Temp\CEFA\LicManager\LicThsUtilsCApp.pdb source: CEFA-FAS_LicThsUtils.exe, 00000001.00000000.1401800686.0000000000201000.00000080.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1404137930.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406793875.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1406957699.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1410075940.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1413792601.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1419640922.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr
            Source: Binary string: /_/src/ControlzEx/obj/Release/net462/ControlzEx.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\src\Microsoft.Xaml.Behaviors\obj\Release\net462\Microsoft.Xaml.Behaviors.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712407595.0000000007200000.00000004.08000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DEC107 SendMessageA,FindFirstFileA,GetDriveTypeA,SendMessageA,FileTimeToLocalFileTime,FileTimeToSystemTime,SendMessageA,FileTimeToLocalFileTime,FileTimeToSystemTime,SendMessageA,FileTimeToLocalFileTime,FileTimeToSystemTime,SendMessageA,FindClose,GetLastError,FindClose,1_2_02DEC107
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C14230 GetFileAttributesA,FindFirstFileA,1_2_02C14230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C14E3E FindFirstFileA,FindClose,1_2_02C14E3E
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C01309 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,FindFirstFileA,FindClose,SetFilePointer,ReadFile,WriteFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,1_2_02C01309
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C15085 FindFirstFileA,FindClose,1_2_02C15085
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C02090 FindFirstFileA,CopyFileA,1_2_02C02090
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C011B4 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,1_2_02C011B4
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BF06D0 SetLastError,FindFirstFileA,FindClose,SetLastError,SetLastError,1_2_02BF06D0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BEEAD0 GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,SetLastError,GetFileAttributesA,GetLastError,SetLastError,SetLastError,FindFirstFileA,SetLastError,1_2_02BEEAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C14B90 FindFirstFileA,FindClose,1_2_02C14B90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE4B20 FindFirstFileA,FindNextFileA,DeleteFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02BE4B20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BEF8A0 GetLastError,FindFirstFileA,1_2_02BEF8A0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BF9970 GetFileAttributesA,GetTempPathA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,CompareFileTime,DeleteFileA,DeleteFileA,FindFirstFileA,FindFirstFileA,FindClose,GetCurrentThreadId,GetCurrentProcessId,FindFirstFileA,CreateFileA,CreateFileA,WriteFile,MoveFileA,GetFileAttributesA,DeleteFileA,1_2_02BF9970
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE1F20 FindFirstFileA,FindFirstFileA,FindClose,GetModuleHandleA,GetModuleFileNameA,FindFirstFileA,FindClose,1_2_02BE1F20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C8C107 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,3_2_02C8C107
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BAEAD0 GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,SetLastError,GetFileAttributesA,GetLastError,SetLastError,SetLastError,FindFirstFileA,SetLastError,3_2_02BAEAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BA4B20 FindFirstFileA,FindClose,3_2_02BA4B20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BAF8A0 GetLastError,FindFirstFileA,3_2_02BAF8A0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BC1110 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,FindFirstFileA,FindClose,SetFilePointer,ReadFile,WriteFile,CloseHandle,3_2_02BC1110
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BB06D0 SetLastError,FindFirstFileA,FindClose,SetLastError,SetLastError,3_2_02BB06D0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD4230 GetFileAttributesA,FindFirstFileA,3_2_02BD4230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD4E00 SearchPathW,FindFirstFileA,FindClose,CompareFileTime,FindFirstFileA,FindClose,3_2_02BD4E00
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD4B90 FindFirstFileA,FindClose,3_2_02BD4B90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02E9C107 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,5_2_02E9C107
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C9EAD0 GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,SetLastError,GetFileAttributesA,GetLastError,SetLastError,SetLastError,FindFirstFileA,SetLastError,5_2_02C9EAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C94B20 FindFirstFileA,FindClose,5_2_02C94B20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C9F8A0 GetLastError,FindFirstFileA,5_2_02C9F8A0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CB1110 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,FindFirstFileA,FindClose,SetFilePointer,ReadFile,WriteFile,CloseHandle,5_2_02CB1110
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CA06D0 SetLastError,FindFirstFileA,FindClose,SetLastError,SetLastError,5_2_02CA06D0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC4230 GetFileAttributesA,FindFirstFileA,5_2_02CC4230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC4E00 SearchPathW,FindFirstFileA,FindClose,CompareFileTime,FindFirstFileA,FindClose,5_2_02CC4E00
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC4B90 FindFirstFileA,FindClose,5_2_02CC4B90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push esi1_2_02BFD091
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push 02BF26C0h1_2_02BF26A1
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push FFFFFFFFh1_2_02BE34C5
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push esi3_2_02BBD091
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push 02BB26C0h3_2_02BB26A4
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push FFFFFFFFh3_2_02BA34C5
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push esi5_2_02CAD091
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push 02CA26C0h5_2_02CA26A4
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 4x nop then push FFFFFFFFh5_2_02C934C5
            Source: Joe Sandbox ViewJA3 fingerprint: 6a5d235ee78c6aede6a61448b4e9ff1e
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.25:61953 -> 128.65.195.89:443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /licensing/v2/check2.php?nocollect HTTP/1.1User-Agent: CEFA FAS S2 Licenses ManagerHost: www.cefa-aviation.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4227B69D-C8E9-B57D-58FC-5F4EDD2F6621_qgklap-42%2027%20b6%209d%20c8%20e9%20b5%207d-58%20fc%205f%204e%20dd%202f%2066%2021&vsc=0&ver=2.0.14 HTTP/1.1User-Agent: CEFA FAS S2 Licenses ManagerHost: www.cefa-aviation.net
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 'q-http://www.linkedin.com/company/cefa-aviation equals www.linkedin.com (Linkedin)
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000735F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 'q-http://www.linkedin.com/company/cefa-aviation, equals www.linkedin.com (Linkedin)
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000735F000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 'q.https://www.facebook.com/CEFAAviationofficial/ equals www.facebook.com (Facebook)
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000735F000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 'q8https://www.youtube.com/channel/UCbtKlI798YguOhnaxxcID9g equals www.youtube.com (Youtube)
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: -http://www.linkedin.com/company/cefa-aviation equals www.linkedin.com (Linkedin)
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: .https://www.facebook.com/CEFAAviationofficial/ equals www.facebook.com (Facebook)
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: 8https://www.youtube.com/channel/UCbtKlI798YguOhnaxxcID9g equals www.youtube.com (Youtube)
            Source: global trafficDNS traffic detected: DNS query: www.cefa-aviation.net
            Source: unknownHTTP traffic detected: POST /licensing/v2/Collect/collect.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8dd2c0b1097d770User-Agent: CEFA FAS S2 Licenses ManagerHost: www.cefa-aviation.netContent-Length: 9359Expect: 100-continue
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2701634415.0000000006147000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssu
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuT
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2670827199.0000000001EF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
            Source: LicUtils.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;V5.0.0.0;component/controls/glowwindow.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;V5.0.0.0;component/controls/glowwindow.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;component/Themes/BadgedEx.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;component/Themes/BadgedEx.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;component/Themes/Glow.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;component/Themes/Glow.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;component/Themes/TabControlEx.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/ControlzEx;component/Themes/TabControlEx.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LicManager;component/views/mainwnd.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LicManager;component/views/mainwnd.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/BadgedEx.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/BadgedEx.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/Glow.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/Glow.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TabControlEx.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TabControlEx.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/controls/glowwindow.baml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/controls/glowwindow.bamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/badgedex.baml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/badgedex.bamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/glow.baml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/glow.bamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/tabcontrolex.baml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/tabcontrolex.bamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/views/mainwnd.baml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/views/mainwnd.bamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/controls/glowwindow.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/controls/glowwindow.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/views/mainwnd.xaml
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/views/mainwnd.xamlT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: http://metro.mahapps.com/winfx/xaml/controls
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000072F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://metro.mahapps.com/winfx/xaml/controls4
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.0000000006330000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://metro.mahapps.com/winfx/xaml/shared
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000074B6000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.000000000456B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1403525528.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406847823.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000003.1409209567.000000000300D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000003.1413442539.000000000296D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000003.1419207281.00000000027ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thinstall.com
            Source: CEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404977002.0000000002C78000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1407875163.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1411619488.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1415009557.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1420465626.00000000026A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thinstall.com/help/index.html?customizingdialogboxes.htm
            Source: CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1411619488.0000000002D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thinstall.com/help/index.html?customizingdialogboxes.htm6
            Source: CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1403525528.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406847823.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000003.1409209567.000000000300D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000003.1413442539.000000000296D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000003.1419207281.00000000027ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thinstall.comThStatusBarChildClassThStatusBarCtrlClassAnimateWindowUSER32.DLLShell_TrayWnd...
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: http://twitter.com/CEFAAviation
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: http://www.cefa-aviation.com
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000754E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.cefa-aviation.net
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr, LicUtils.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: http://www.linkedin.com/company/cefa-aviation
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/ControlzEx/ControlzEx
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/ControlzEx/ControlzEx.git
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/ControlzEx/ControlzEx0
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.0000000006330000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/MahApps/MahApps.Metro.git
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.00000000065F8000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/MahApps/MahApps.Metro0
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/NLog/NLog.git
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712407595.0000000007200000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/XamlBehaviorsWpf
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://nlog-project.org/
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075C3000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000735F000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000754E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000072F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/2Gy
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/Collect/collect.php
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/Collect/collect.phpthttps://www.cefa-aviation.net/licensi
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/check2.php
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075C3000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4227B
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/check2.php?nocollect
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: https://www.cefa-aviation.net/licensing/v2/reportInst2.php
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net:443/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.000000000456B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net:443/licensing/v2/check2.php?noco
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000074B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net:443/licensing/v2/check2.php?nocollect
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.000000000456B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cefa-aviation.net:443/licensing/v2/check2.php?nocollectT
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
            Source: CEFA-FAS_LicMgr.exeString found in binary or memory: https://www.youtube.com/channel/UCbtKlI798YguOhnaxxcID9g
            Source: unknownNetwork traffic detected: HTTP traffic on port 61953 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 61950 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 61951 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61953
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61950
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61951
            Source: unknownHTTPS traffic detected: 128.65.195.89:443 -> 192.168.2.25:61950 version: TLS 1.2
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DE332D QueryPerformanceCounter,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,GetCurrentThreadId,GlobalMemoryStatus,GetActiveWindow,GetCapture,GetClipboardOwner,GetClipboardViewer,GetCurrentProcess,GetCurrentProcessId,GetCurrentThread,GetCurrentThreadId,GetTickCount,GetDesktopWindow,GetFocus,GetInputState,GetMessagePos,GetMessageTime,GetOpenClipboardWindow,GetProcessHeap,GetProcessWindowStation,GetQueueStatus,1_2_02DE332D

            System Summary

            barindex
            PE file contains section with special chars
            Source: CEFA-FAS_LicMgr.exeStatic PE information: section name: mlZz|4
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            PE file has a writeable .text section
            Source: CEFA-FAS_LicThsUtils.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            PE file has nameless sections
            Source: CEFA-FAS_LicMgr.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0380CB680_2_0380CB68
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0380CB780_2_0380CB78
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0380D3110_2_0380D311
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0380D3200_2_0380D320
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0380DDD70_2_0380DDD7
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0380DDE80_2_0380DDE8
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0714A8590_2_0714A859
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6814200_2_0D681420
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6856580_2_0D685658
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D68257B0_2_0D68257B
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6825C80_2_0D6825C8
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6825BB0_2_0D6825BB
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6814000_2_0D681400
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6856380_2_0D685638
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D686E000_2_0D686E00
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6839200_2_0D683920
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D6838F00_2_0D6838F0
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_11C93CB40_2_11C93CB4
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_11C950840_2_11C95084
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0714698A0_2_0714698A
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_002020B31_2_002020B3
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DEE3C51_2_02DEE3C5
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DF347D1_2_02DF347D
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C142301_2_02C14230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C040E01_2_02C040E0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE38101_2_02BE3810
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C332101_2_02C33210
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C013091_2_02C01309
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C3F0291_2_02C3F029
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C321701_2_02C32170
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C096001_2_02C09600
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C3E4DA1_2_02C3E4DA
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C32A901_2_02C32A90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BEEAD01_2_02BEEAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C00A791_2_02C00A79
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C12BC01_2_02C12BC0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C31B001_2_02C31B00
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C3FB291_2_02C3FB29
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE78901_2_02BE7890
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C328001_2_02C32800
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C459C41_2_02C459C4
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE59101_2_02BE5910
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BF99701_2_02BF9970
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C499391_2_02C49939
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C2FEC01_2_02C2FEC0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C31EE01_2_02C31EE0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C33FB01_2_02C33FB0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C3DF141_2_02C3DF14
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C8E3C53_2_02C8E3C5
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C9347D3_2_02C9347D
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BC40E03_2_02BC40E0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BA38103_2_02BA3810
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BAEAD03_2_02BAEAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BC0A503_2_02BC0A50
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BA78903_2_02BA7890
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BA59103_2_02BA5910
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BC11103_2_02BC1110
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BB99703_2_02BB9970
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BC96003_2_02BC9600
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD42303_2_02BD4230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BF2A903_2_02BF2A90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BF32103_2_02BF3210
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BF1B003_2_02BF1B00
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD10013_2_02BD1001
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BF28003_2_02BF2800
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BF21703_2_02BF2170
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BF1EE03_2_02BF1EE0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BEFEC03_2_02BEFEC0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD1FB03_2_02BD1FB0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BF3FB03_2_02BF3FB0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BFF0293_2_02BFF029
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BFFB293_2_02BFFB29
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C059C43_2_02C059C4
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C099393_2_02C09939
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02E9E3C55_2_02E9E3C5
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02EA347D5_2_02EA347D
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CEF0295_2_02CEF029
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CEFB295_2_02CEFB29
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CF59C45_2_02CF59C4
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CF99395_2_02CF9939
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CB40E05_2_02CB40E0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C938105_2_02C93810
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C9EAD05_2_02C9EAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CB0A505_2_02CB0A50
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C978905_2_02C97890
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CA99705_2_02CA9970
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C959105_2_02C95910
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CB11105_2_02CB1110
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CB96005_2_02CB9600
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC42305_2_02CC4230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CE2A905_2_02CE2A90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CE32105_2_02CE3210
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CE1B005_2_02CE1B00
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC10015_2_02CC1001
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CE28005_2_02CE2800
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CE21705_2_02CE2170
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CDFEC05_2_02CDFEC0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CE1EE05_2_02CE1EE0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC1FB05_2_02CC1FB0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CE3FB05_2_02CE3FB0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02C0D100 appears 258 times
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02C41A6B appears 49 times
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02C8B4C0 appears 40 times
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02BE28E0 appears 76 times
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02C136D0 appears 34 times
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02E9B4C0 appears 40 times
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02DEB4C0 appears 41 times
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: String function: 02BF3010 appears 336 times
            Source: CEFA-FAS_LicMgr.exeBinary or memory string: OriginalFilename vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.00000000065F8000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMahApps.Metro.dll< vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEFA.Utils.dll6 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Xaml.Behaviors.dllR vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: _originalFileName vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNLog.dll8 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712407595.0000000007200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Xaml.Behaviors.dllR vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNLog.dll8 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameControlzEx.dll6 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000735F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLicManager.exe@ vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'q,\\StringFileInfo\\000004B0\\OriginalFilename vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2717050917.0000000008440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEFA.Utils.WPF.dll> vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: _originalFileName vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNLog.dll8 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenameLicUtils.dll2 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2711387634.0000000007180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEFA.Utils.dll6 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenameLicUtils.dll2 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: _originalFileName vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNLog.dll8 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2661932328.0000000001950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exeBinary or memory string: OriginalFilenameLicThsUt.exe8 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exeBinary or memory string: OriginalFilenameLicUtils.dll2 vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exeBinary or memory string: OriginalFilenameLicManager.exe@ vs CEFA-FAS_LicMgr.exe
            Source: CEFA-FAS_LicMgr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: CEFA-FAS_LicMgr.exeStatic PE information: Section: mlZz|4 ZLIB complexity 1.0005122950819672
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Dark.SLN
            Source: classification engineClassification label: mal48.evad.winEXE@16/8@1/1
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C39400 GetLastError,GetLastError,GetLastError,FormatMessageA,LocalFree,1_2_02C39400
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C2D3A0 FindResourceA,1_2_02C2D3A0
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile created: C:\Users\user\Desktop\binJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3000:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile created: C:\Users\user\AppData\Local\Temp\20250103_152659_ewmgb3efq5krcg32_172892Jump to behavior
            Source: CEFA-FAS_LicMgr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile read: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe:Zone.IdentifierJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe "C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe"
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -currentkey
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -macid
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expireddate
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expired
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -licinfo
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -currentkeyJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -macidJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expireddateJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expiredJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -licinfoJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: d3d9.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: directxdatabasehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: virtdisk.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: d3dcompiler_47.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: msctfui.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: uiautomationcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: cfgmgr32.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeFile written: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\5pgytxrewcrvrgzw2fea6yh2w86q7d9vJump to behavior
            Source: CEFA-FAS_LicMgr.exeStatic PE information: certificate valid
            Source: CEFA-FAS_LicMgr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: CEFA-FAS_LicMgr.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: CEFA-FAS_LicMgr.exeStatic file information: File size 8240656 > 1048576
            Source: CEFA-FAS_LicMgr.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x79dc00
            Source: CEFA-FAS_LicMgr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256 source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: /_/src/MahApps.Metro/obj/Release/net47/MahApps.Metro.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.00000000065F8000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\Temp\CEFA\LicManager\LicThsUtilsCApp.pdb'' source: CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1404137930.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406793875.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1406957699.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1410075940.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1413792601.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1419640922.0000000000203000.00000040.00000001.01000000.0000000E.sdmp
            Source: Binary string: C:\Temp\CEFA\LicManager\LicThsUtilsCApp.pdb source: CEFA-FAS_LicThsUtils.exe, 00000001.00000000.1401800686.0000000000201000.00000080.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1404137930.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406793875.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1406957699.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1410075940.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1413792601.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1419640922.0000000000203000.00000040.00000001.01000000.0000000E.sdmp, CEFA-FAS_LicMgr.exe, CEFA-FAS_LicThsUtils.exe.0.dr
            Source: Binary string: /_/src/ControlzEx/obj/Release/net462/ControlzEx.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\src\Microsoft.Xaml.Behaviors\obj\Release\net462\Microsoft.Xaml.Behaviors.pdb source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712407595.0000000007200000.00000004.08000000.00040000.00000000.sdmp

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeUnpacked PE file: 1.2.CEFA-FAS_LicThsUtils.exe.200000.0.unpack .text:EW;.res:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            .NET source code contains potential unpacker
            Source: 0.2.CEFA-FAS_LicMgr.exe.10560000.17.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
            Source: 0.2.CEFA-FAS_LicMgr.exe.10560000.17.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
            Yara detected Costura Assembly Loader
            Source: Yara matchFile source: CEFA-FAS_LicMgr.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.CEFA-FAS_LicMgr.exe.c50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1375964616.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CEFA-FAS_LicMgr.exe PID: 6344, type: MEMORYSTR
            Source: CEFA-FAS_LicMgr.exeStatic PE information: 0xFA5DD9BB [Fri Feb 9 08:56:27 2103 UTC]
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DF2EFF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_02DF2EFF
            Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
            Source: CEFA-FAS_LicMgr.exeStatic PE information: section name: mlZz|4
            Source: CEFA-FAS_LicMgr.exeStatic PE information: section name:
            Source: CEFA-FAS_LicThsUtils.exe.0.drStatic PE information: section name: .res
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name:
            Source: LicUtils.dll.0.drStatic PE information: section name: .winlice
            Source: LicUtils.dll.0.drStatic PE information: section name: .boot
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F0F10 push eax; mov dword ptr [esp], esi0_2_1155AE8A
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F0F10 push 049592FAh; mov dword ptr [esp], edx0_2_1155AE92
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F0F10 push edi; mov dword ptr [esp], ebx0_2_1155AF1A
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_1110D12C push 373FACA9h; mov dword ptr [esp], eax0_2_111139C4
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_11111046 push 56A0C6FCh; mov dword ptr [esp], edx0_2_112FF24E
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_11111046 push 5E5658EAh; mov dword ptr [esp], eax0_2_113702AA
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_11111046 push ebx; mov dword ptr [esp], eax0_2_113702AE
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_11111046 push esi; mov dword ptr [esp], edx0_2_1148C36F
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_1114B378 push eax; mov dword ptr [esp], 47E0047Ah0_2_114EE302
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E2160 push 4C32A8E1h; mov dword ptr [esp], ecx0_2_114F333E
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E2160 push ebp; mov dword ptr [esp], esi0_2_114F3342
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E2160 push 6D98183Ah; mov dword ptr [esp], esi0_2_114F3355
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E2160 push esi; mov dword ptr [esp], ebp0_2_114F3359
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E2160 push esi; mov dword ptr [esp], eax0_2_114F33E8
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F0270 push 40F59297h; mov dword ptr [esp], edi0_2_1156DD50
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F0270 push eax; mov dword ptr [esp], ebx0_2_1156DD67
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F2470 push 5ED6656Ah; mov dword ptr [esp], ecx0_2_115A2689
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F2470 push eax; mov dword ptr [esp], esi0_2_115A26A5
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F2470 push 50B72FB6h; mov dword ptr [esp], eax0_2_115A26D4
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110F2470 push 65F5AA4Eh; mov dword ptr [esp], ecx0_2_115A2741
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_112CECA8 push 5A610BEDh; mov dword ptr [esp], ebx0_2_114D7908
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_112F0CBD push esi; mov dword ptr [esp], eax0_2_112F4D83
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_112F0CBD push edx; mov dword ptr [esp], ebp0_2_112F4D8E
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E24B0 push 4C00D44Eh; mov dword ptr [esp], esi0_2_1151E7CE
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E24B0 push 0B9ECE0Ch; mov dword ptr [esp], edi0_2_1151E80F
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_110E24B0 push ecx; mov dword ptr [esp], ebx0_2_1151E835
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_11103FCE push 6C29D9D5h; mov dword ptr [esp], edi0_2_1146F236
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_111030E4 push 6231F10Ah; mov dword ptr [esp], esi0_2_114BD4E7
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_01EB0BD8 push ss; retf 0005h0_2_01EB0BDA
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_07141E45 pushfd ; iretd 0_2_07141E4E
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: 0_2_0D17C55A push eax; iretd 0_2_0D17C55B
            Source: CEFA-FAS_LicMgr.exeStatic PE information: section name: mlZz|4 entropy: 7.993807913628257
            Source: LicUtils.dll.0.drStatic PE information: section name: entropy: 7.955350686112204
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile created: C:\Users\user\Desktop\LicUtils.dllJump to dropped file
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeJump to dropped file

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contain functionality to detect virtual machines
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: vmware vmware vmware 0_2_110EDA30
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeCode function: vboxrev vboxrev 0_2_110EEEC0
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: CEFA-FAS_LicThsUtils.exeBinary or memory string: GENERATED DUMP FILE %S - USE WINDBG.EXE (DEBUGGING TOOLS FOR WINDOWS) TO SEE DETAILS
            Source: CEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1407417764.0000000002C18000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1410977213.0000000002D08000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1414110759.0000000002828000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1419971332.00000000025B8000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: NO ASSOCIATED DLL/EXE FOUNDGENERATED DUMP FILE %S - USE WINDBG.EXE (DEBUGGING TOOLS FOR WINDOWS) TO SEE DETAILS
            Source: CEFA-FAS_LicThsUtils.exe, CEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1407417764.0000000002C18000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1410977213.0000000002D08000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1414110759.0000000002828000.00000040.10000000.00040000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1419971332.00000000025B8000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: GENERATED DUMP FILE %S - USE WINDBG.EXE (DEBUGGING TOOLS FOR WINDOWS) TO SEE DETAILS
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMemory allocated: 1E70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMemory allocated: 3850000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMemory allocated: 37A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMemory allocated: 72F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMemory allocated: 82F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMemory allocated: 72F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C24FB0 rdtsc 1_2_02C24FB0
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599885Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599776Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599664Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599552Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599425Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599297Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599195Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599075Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598966Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598866Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598756Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598629Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598501Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598373Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598272Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598165Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598053Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597925Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597797Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597696Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597589Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597477Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597366Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597261Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597142Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596903Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596791Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596679Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596567Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596440Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596312Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596201Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeWindow / User API: threadDelayed 8530Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeWindow / User API: threadDelayed 904Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeDropped PE file which has not been started: C:\Users\user\Desktop\LicUtils.dllJump to dropped file
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-52425
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-52466
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99888s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99777s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99676s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99553s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99425s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99297s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99194s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -99073s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -98968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599885s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599776s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599664s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599552s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599425s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599297s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599195s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -599075s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598966s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598866s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598756s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598629s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598501s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598373s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598272s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598165s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -598053s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597925s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597797s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597696s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597589s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597366s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597261s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597142s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -597015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -596903s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -596791s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -596679s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -596567s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -596440s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -596312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe TID: 5004Thread sleep time: -596201s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DEC107 SendMessageA,FindFirstFileA,GetDriveTypeA,SendMessageA,FileTimeToLocalFileTime,FileTimeToSystemTime,SendMessageA,FileTimeToLocalFileTime,FileTimeToSystemTime,SendMessageA,FileTimeToLocalFileTime,FileTimeToSystemTime,SendMessageA,FindClose,GetLastError,FindClose,1_2_02DEC107
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C14230 GetFileAttributesA,FindFirstFileA,1_2_02C14230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C14E3E FindFirstFileA,FindClose,1_2_02C14E3E
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C01309 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,FindFirstFileA,FindClose,SetFilePointer,ReadFile,WriteFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,1_2_02C01309
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C15085 FindFirstFileA,FindClose,1_2_02C15085
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C02090 FindFirstFileA,CopyFileA,1_2_02C02090
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C011B4 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,1_2_02C011B4
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BF06D0 SetLastError,FindFirstFileA,FindClose,SetLastError,SetLastError,1_2_02BF06D0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BEEAD0 GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,SetLastError,GetFileAttributesA,GetLastError,SetLastError,SetLastError,FindFirstFileA,SetLastError,1_2_02BEEAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C14B90 FindFirstFileA,FindClose,1_2_02C14B90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE4B20 FindFirstFileA,FindNextFileA,DeleteFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02BE4B20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BEF8A0 GetLastError,FindFirstFileA,1_2_02BEF8A0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BF9970 GetFileAttributesA,GetTempPathA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,CompareFileTime,DeleteFileA,DeleteFileA,FindFirstFileA,FindFirstFileA,FindClose,GetCurrentThreadId,GetCurrentProcessId,FindFirstFileA,CreateFileA,CreateFileA,WriteFile,MoveFileA,GetFileAttributesA,DeleteFileA,1_2_02BF9970
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE1F20 FindFirstFileA,FindFirstFileA,FindClose,GetModuleHandleA,GetModuleFileNameA,FindFirstFileA,FindClose,1_2_02BE1F20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C8C107 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,3_2_02C8C107
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BAEAD0 GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,SetLastError,GetFileAttributesA,GetLastError,SetLastError,SetLastError,FindFirstFileA,SetLastError,3_2_02BAEAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BA4B20 FindFirstFileA,FindClose,3_2_02BA4B20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BAF8A0 GetLastError,FindFirstFileA,3_2_02BAF8A0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BC1110 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,FindFirstFileA,FindClose,SetFilePointer,ReadFile,WriteFile,CloseHandle,3_2_02BC1110
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BB06D0 SetLastError,FindFirstFileA,FindClose,SetLastError,SetLastError,3_2_02BB06D0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD4230 GetFileAttributesA,FindFirstFileA,3_2_02BD4230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD4E00 SearchPathW,FindFirstFileA,FindClose,CompareFileTime,FindFirstFileA,FindClose,3_2_02BD4E00
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BD4B90 FindFirstFileA,FindClose,3_2_02BD4B90
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02E9C107 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,5_2_02E9C107
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C9EAD0 GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,SetLastError,GetFileAttributesA,GetLastError,SetLastError,SetLastError,FindFirstFileA,SetLastError,5_2_02C9EAD0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C94B20 FindFirstFileA,FindClose,5_2_02C94B20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C9F8A0 GetLastError,FindFirstFileA,5_2_02C9F8A0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CB1110 FindFirstFileA,FindClose,CompareFileTime,CompareFileTime,FindFirstFileA,FindClose,SetFilePointer,ReadFile,WriteFile,CloseHandle,5_2_02CB1110
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CA06D0 SetLastError,FindFirstFileA,FindClose,SetLastError,SetLastError,5_2_02CA06D0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC4230 GetFileAttributesA,FindFirstFileA,5_2_02CC4230
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC4E00 SearchPathW,FindFirstFileA,FindClose,CompareFileTime,FindFirstFileA,FindClose,5_2_02CC4E00
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CC4B90 FindFirstFileA,FindClose,5_2_02CC4B90
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99888Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99777Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99676Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99553Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99425Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99297Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99194Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 99073Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 98968Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599885Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599776Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599664Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599552Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599425Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599297Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599195Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 599075Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598966Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598866Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598756Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598629Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598501Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598373Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598272Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598165Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 598053Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597925Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597797Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597696Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597589Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597477Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597366Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597261Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597142Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596903Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596791Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596679Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596567Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596440Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596312Jump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeThread delayed: delay time: 596201Jump to behavior
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicMgr.exe, 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: Hyper-V
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: VMware
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: vmware
            Source: CEFA-FAS_LicMgr.exe, CEFA-FAS_LicMgr.exe, 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: hyper-v
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: -=======================================================-BIOSInformationsystemInformationbaseBoardInformationsystemEnclosureInformationprocessorInformationmemoryControllerInformationmemoryModuleInformationcacheInformationportConnectorInformationsystemSlotsonBoardDevicesInformationOEMStringsystemConfigurationOptionsBIOSLanguageInformationgroupAssociationssystemEventLogphysicalMemoryArraymemoryDevicememoryErrorInformationmemoryArrayMappedAddress><</vendor><vendor></version><version></BIOSStartingSegment><BIOSStartingSegment>0x</releaseDater><releaseDater>K</imageSize><imageSize></systemBIOSVersion>.<systemBIOSVersion></ECFirmwareVersion><ECFirmwareVersion></</manufacturer><manufacturer></productName><productName></serialNumber><serialNumber><UUID>%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X</UUID></SKUNumber><SKUNumber></family><family></length><length>0x </assetTagNumber><assetTagNumber></locationInChassis><locationInChassis></socketDesignation><socketDesignation></processorManufacturer><processorManufacturer></processorVersion><processorVersion>MHz, 0MHz is unknown clock</externalClock><externalClock>MHz</maxSpeed><maxSpeed>MHz</currentSpeed><currentSpeed><length>0x: ns:</currentSpeed></OEMString><OEMString>bits</totalWidth><totalWidth>bits</dataWidth><dataWidth></deviceLocator><deviceLocator></bankLocator><bankLocator></speed><speed></partNumber><partNumber></startingAddress><startingAddress>0x</endingAddress><endingAddress>0x</memoryArrayHandle><memoryArrayHandle>0x</partitionWidth><partitionWidth>0x<portableBattery></location><location></manufacturerDate><manufacturerDate></portableBattery>%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X</SMBIOSVersion><SMBIOSVersion></DMIRevision><DMIRevision></totalLength><totalLength>Virtual MachineMicrosoft CorporationHyper-Vinnotek GmbHXenHVM domUVMwareVirtualBoxvboxRevOracle CorporationAmazonAmazon EC2EC2XhD
            Source: CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1420342130.0000000002679000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: VMWare
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2701634415.000000000618C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
            Source: CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1420342130.0000000002679000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: %sKey is bad or incorrect password has been usedBad key formatNo Machine ID supplied* Netbiosnetapi32.dllGetAdaptersInfoIphlpapi.dllWirelessVirtualVMWareProductIdSOFTWARE\Microsoft\Windows NT\CurrentVersionSOFTWARE\Microsoft\Windows\CurrentVersionProductKeySOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s%s%s%s%s\%s%s.%d%s\%smachine_uuidc:\riched32.dllRICHEDIT
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end nodegraph_1-52498
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end nodegraph_1-50188
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end nodegraph_1-52789
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeSystem information queried: ModuleInformationJump to behavior

            Anti Debugging

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C24FB0 rdtsc 1_2_02C24FB0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_002023F0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_002023F0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C07A20 GetModuleHandleA,GetProcAddress,GetVersionExA,GetCurrentProcessId,OpenFileMappingA,GetStartupInfoA,CreateProcessA,ExitProcess,ExitProcess,CreateFileMappingA,WaitForDebugEvent,ContinueDebugEvent,WaitForDebugEvent,ExitProcess,ExitProcess,ContinueDebugEvent,ContinueDebugEvent,CreateThread,1_2_02C07A20
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DF2EFF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_02DF2EFF
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02BE1150 mov eax, dword ptr fs:[00000030h]1_2_02BE1150
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BA1150 mov eax, dword ptr fs:[00000030h]3_2_02BA1150
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02C91150 mov eax, dword ptr fs:[00000030h]5_2_02C91150
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DE332D QueryPerformanceCounter,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,GetCurrentThreadId,GlobalMemoryStatus,GetActiveWindow,GetCapture,GetClipboardOwner,GetClipboardViewer,GetCurrentProcess,GetCurrentProcessId,GetCurrentThread,GetCurrentThreadId,GetTickCount,GetDesktopWindow,GetFocus,GetInputState,GetMessagePos,GetMessageTime,GetOpenClipboardWindow,GetProcessHeap,GetProcessWindowStation,GetQueueStatus,1_2_02DE332D
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_0020254F SetUnhandledExceptionFilter,1_2_0020254F
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_00201F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00201F54
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_002023F0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_002023F0
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DECE1A SetUnhandledExceptionFilter,1_2_02DECE1A
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DECE2C SetUnhandledExceptionFilter,1_2_02DECE2C
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C4644E SetUnhandledExceptionFilter,1_2_02C4644E
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C4646C SetUnhandledExceptionFilter,1_2_02C4646C
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02C06D10 SetUnhandledExceptionFilter,1_2_02C06D10
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C8CE1A SetUnhandledExceptionFilter,3_2_02C8CE1A
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C8CE2C SetUnhandledExceptionFilter,3_2_02C8CE2C
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02BC6D10 SetUnhandledExceptionFilter,3_2_02BC6D10
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 3_2_02C0646C SetUnhandledExceptionFilter,3_2_02C0646C
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02E9CE2C SetUnhandledExceptionFilter,5_2_02E9CE2C
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02E9CE1A SetUnhandledExceptionFilter,5_2_02E9CE1A
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CF646C SetUnhandledExceptionFilter,5_2_02CF646C
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 5_2_02CB6D10 SetUnhandledExceptionFilter,5_2_02CB6D10
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -currentkeyJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -macidJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expireddateJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expiredJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeProcess created: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe "C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -licinfoJump to behavior
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWndhwnd]The parameter can not be either null or empty.
            Source: CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1403525528.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406847823.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000003.1409209567.000000000300D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2711387634.0000000007180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd,Shell_SecondaryTrayWnd
            Source: CEFA-FAS_LicMgr.exe, 00000000.00000002.2711387634.0000000007180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd+class_name is not setCCould not register window class (
            Source: CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1403525528.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406847823.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000003.1409209567.000000000300D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAYOPENhttp://thinstall.comThStatusBarChildClassThStatusBarCtrlClassAnimateWindowUSER32.DLLShell_TrayWnd...
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration\v4.0_4.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_00202637 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00202637
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DF2475 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,1_2_02DF2475
            Source: C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exeCode function: 1_2_02DEC88E GetVersion,GetCommandLineA,1_2_02DEC88E
            Source: C:\Users\user\Desktop\CEFA-FAS_LicMgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		OS Credential Dumping2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Search Order Hijacking            		1
            DLL Search Order Hijacking            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory3
            File and Directory Discovery            		Remote Desktop Protocol1
            Clipboard Data            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Image File Execution Options Injection            		1
            Image File Execution Options Injection            		4
            Obfuscated Files or Information            		Security Account Manager25
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Windows Service            		1
            Windows Service            		22
            Software Packing            		NTDS641
            Security Software Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
            Process Injection            		1
            Timestomp            		LSA Secrets1
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials341
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Search Order Hijacking            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Masquerading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt341
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583910 Sample: CEFA-FAS_LicMgr.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 48 36 www.cefa-aviation.net 2->36 40 .NET source code contains potential unpacker 2->40 42 PE file contains section with special chars 2->42 44 PE file has nameless sections 2->44 46 4 other signatures 2->46 8 CEFA-FAS_LicMgr.exe 15 9 2->8         started        signatures3 process4 dnsIp5 38 www.cefa-aviation.net 128.65.195.89, 443, 61950, 61951 INFOMANIAK-ASCH Switzerland 8->38 32 C:\Users\user\...\CEFA-FAS_LicThsUtils.exe, PE32 8->32 dropped 34 C:\Users\user\Desktop\LicUtils.dll, PE32 8->34 dropped 48 Query firmware table information (likely to detect VMs) 8->48 50 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->50 52 Contain functionality to detect virtual machines 8->52 54 2 other signatures 8->54 13 CEFA-FAS_LicThsUtils.exe 4 10 8->13         started        16 CEFA-FAS_LicThsUtils.exe 7 8->16         started        18 CEFA-FAS_LicThsUtils.exe 7 8->18         started        20 2 other processes 8->20 file6 signatures7 process8 signatures9 56 Detected unpacking (changes PE section rights) 13->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->58 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://foo/Themes/BadgedEx.xamlT0%Avira URL Cloudsafe
            http://foo/views/mainwnd.xaml0%Avira URL Cloudsafe
            https://www.cefa-aviation.net0%Avira URL Cloudsafe
            https://www.cefa-aviation.net:443/licensing/v2/check2.php?nocollect0%Avira URL Cloudsafe
            http://foo/bar/themes/tabcontrolex.baml0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;V5.0.0.0;component/controls/glowwindow.xaml0%Avira URL Cloudsafe
            http://foo/Themes/TabControlEx.xamlT0%Avira URL Cloudsafe
            http://metro.mahapps.com/winfx/xaml/controls0%Avira URL Cloudsafe
            http://www.cefa-aviation.net0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4227B0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/check2.php?nocollect0%Avira URL Cloudsafe
            http://metro.mahapps.com/winfx/xaml/shared0%Avira URL Cloudsafe
            http://foo/bar/themes/tabcontrolex.bamlT0%Avira URL Cloudsafe
            http://foo/bar/themes/glow.bamlT0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;component/Themes/TabControlEx.xamlT0%Avira URL Cloudsafe
            http://foo/bar/views/mainwnd.baml0%Avira URL Cloudsafe
            http://foo/controls/glowwindow.xaml0%Avira URL Cloudsafe
            http://foo/Themes/BadgedEx.xaml0%Avira URL Cloudsafe
            http://foo/bar/controls/glowwindow.baml0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/reportInst2.php0%Avira URL Cloudsafe
            http://foo/bar/themes/badgedex.baml0%Avira URL Cloudsafe
            http://thinstall.com/help/index.html?customizingdialogboxes.htm0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;component/Themes/Glow.xamlT0%Avira URL Cloudsafe
            http://thinstall.com0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;component/Themes/BadgedEx.xamlT0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;component/Themes/BadgedEx.xaml0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;component/Themes/TabControlEx.xaml0%Avira URL Cloudsafe
            http://thinstall.comThStatusBarChildClassThStatusBarCtrlClassAnimateWindowUSER32.DLLShell_TrayWnd...0%Avira URL Cloudsafe
            http://foo/Themes/TabControlEx.xaml0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/Collect/collect.php0%Avira URL Cloudsafe
            http://foo/Themes/Glow.xamlT0%Avira URL Cloudsafe
            http://defaultcontainer/LicManager;component/views/mainwnd.xaml0%Avira URL Cloudsafe
            http://thinstall.com/help/index.html?customizingdialogboxes.htm60%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/0%Avira URL Cloudsafe
            http://metro.mahapps.com/winfx/xaml/controls40%Avira URL Cloudsafe
            https://www.cefa-aviation.net:443/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=40%Avira URL Cloudsafe
            http://foo/bar/themes/badgedex.bamlT0%Avira URL Cloudsafe
            http://foo/views/mainwnd.xamlT0%Avira URL Cloudsafe
            http://foo/controls/glowwindow.xamlT0%Avira URL Cloudsafe
            http://defaultcontainer/LicManager;component/views/mainwnd.xamlT0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;component/Themes/Glow.xaml0%Avira URL Cloudsafe
            http://foo/Themes/Glow.xaml0%Avira URL Cloudsafe
            http://foo/bar/views/mainwnd.bamlT0%Avira URL Cloudsafe
            http://foo/bar/controls/glowwindow.bamlT0%Avira URL Cloudsafe
            http://defaultcontainer/ControlzEx;V5.0.0.0;component/controls/glowwindow.xamlT0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/check2.php0%Avira URL Cloudsafe
            https://www.cefa-aviation.net:443/licensing/v2/check2.php?noco0%Avira URL Cloudsafe
            http://www.cefa-aviation.com0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4227B69D-C8E9-B57D-58FC-5F4EDD2F6621_qgklap-42%2027%20b6%209d%20c8%20e9%20b5%207d-58%20fc%205f%204e%20dd%202f%2066%2021&vsc=0&ver=2.0.140%Avira URL Cloudsafe
            http://foo/bar/themes/glow.baml0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/Collect/collect.phpthttps://www.cefa-aviation.net/licensi0%Avira URL Cloudsafe
            https://www.cefa-aviation.net/licensing/v2/2Gy0%Avira URL Cloudsafe
            https://www.cefa-aviation.net:443/licensing/v2/check2.php?nocollectT0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.cefa-aviation.net
            		128.65.195.89
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://www.cefa-aviation.net/licensing/v2/check2.php?nocollectfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.cefa-aviation.net/licensing/v2/Collect/collect.phpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.cefa-aviation.net/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4227B69D-C8E9-B57D-58FC-5F4EDD2F6621_qgklap-42%2027%20b6%209d%20c8%20e9%20b5%207d-58%20fc%205f%204e%20dd%202f%2066%2021&vsc=0&ver=2.0.14false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://www.cefa-aviation.netCEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075C3000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000735F000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000754E000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://foo/views/mainwnd.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://foo/Themes/TabControlEx.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://foo/bar/themes/tabcontrolex.bamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.linkedin.com/company/cefa-aviationCEFA-FAS_LicMgr.exefalse
                		high
                http://foo/Themes/BadgedEx.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/soap/envelope/CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpfalse
                  		high
                  https://nlog-project.org/CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpfalse
                    		high
                    https://www.newtonsoft.com/jsonCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.cefa-aviation.net:443/licensing/v2/check2.php?nocollectCEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000074B6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://metro.mahapps.com/winfx/xaml/controlsCEFA-FAS_LicMgr.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://defaultcontainer/ControlzEx;V5.0.0.0;component/controls/glowwindow.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.cefa-aviation.net/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4227BCEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075C3000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075BE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.cefa-aviation.netCEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.000000000754E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/ControlzEx/ControlzEx0CEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpfalse
                        		high
                        http://foo/bar/themes/tabcontrolex.bamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://metro.mahapps.com/winfx/xaml/sharedCEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.0000000006330000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nlog-project.org/dummynamespace/CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpfalse
                          		high
                          http://foo/bar/themes/glow.bamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.cefa-aviation.net/licensing/v2/reportInst2.phpCEFA-FAS_LicMgr.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://defaultcontainer/ControlzEx;component/Themes/TabControlEx.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://foo/Themes/BadgedEx.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://foo/controls/glowwindow.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://foo/bar/views/mainwnd.bamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/MahApps/MahApps.Metro0CEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.00000000065F8000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            http://foo/bar/controls/glowwindow.bamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://foo/bar/themes/badgedex.bamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/ControlzEx/ControlzEx.gitCEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpfalse
                              		high
                              http://thinstall.com/help/index.html?customizingdialogboxes.htmCEFA-FAS_LicThsUtils.exe, 00000001.00000002.1404977002.0000000002C78000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000002.1407875163.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1411619488.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000002.1415009557.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000002.1420465626.00000000026A8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000074B6000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.000000000456B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://defaultcontainer/ControlzEx;component/Themes/Glow.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://defaultcontainer/ControlzEx;component/Themes/BadgedEx.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://defaultcontainer/ControlzEx;component/Themes/BadgedEx.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://thinstall.comThStatusBarChildClassThStatusBarCtrlClassAnimateWindowUSER32.DLLShell_TrayWnd...CEFA-FAS_LicThsUtils.exe, 00000001.00000003.1403525528.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406847823.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000003.1409209567.000000000300D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000003.1413442539.000000000296D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000003.1419207281.00000000027ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/JamesNK/Newtonsoft.JsonCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://foo/Themes/TabControlEx.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://thinstall.comCEFA-FAS_LicThsUtils.exe, 00000001.00000003.1403525528.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000003.00000003.1406847823.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000005.00000003.1409209567.000000000300D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000007.00000003.1413442539.000000000296D000.00000004.00000020.00020000.00000000.sdmp, CEFA-FAS_LicThsUtils.exe, 00000009.00000003.1419207281.00000000027ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://defaultcontainer/ControlzEx;component/Themes/TabControlEx.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://github.com/NLog/NLog.gitCEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpfalse
                                    		high
                                    http://foo/Themes/Glow.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://defaultcontainer/LicManager;component/views/mainwnd.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.cefa-aviation.net:443/licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000075BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://thinstall.com/help/index.html?customizingdialogboxes.htm6CEFA-FAS_LicThsUtils.exe, 00000005.00000002.1411619488.0000000002D28000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.cefa-aviation.net/licensing/v2/CEFA-FAS_LicMgr.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://metro.mahapps.com/winfx/xaml/controls4CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000072F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.youtube.com/channel/UCbtKlI798YguOhnaxxcID9gCEFA-FAS_LicMgr.exefalse
                                      		high
                                      https://github.com/ControlzEx/ControlzExCEFA-FAS_LicMgr.exe, 00000000.00000002.2709998208.00000000070F0000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        http://foo/bar/themes/badgedex.bamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://foo/controls/glowwindow.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.nuget.org/packages/NLog.Web.AspNetCoreCEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004851000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2718790166.0000000008760000.00000004.08000000.00040000.00000000.sdmpfalse
                                          		high
                                          http://james.newtonking.com/projects/jsonCEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://foo/views/mainwnd.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://defaultcontainer/LicManager;component/views/mainwnd.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://defaultcontainer/ControlzEx;component/Themes/Glow.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://foo/Themes/Glow.xamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://foo/bar/views/mainwnd.bamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://defaultcontainer/ControlzEx;V5.0.0.0;component/controls/glowwindow.xamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://twitter.com/CEFAAviationCEFA-FAS_LicMgr.exefalse
                                              		high
                                              https://www.newtonsoft.com/jsonschemaCEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/microsoft/XamlBehaviorsWpfCEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712407595.0000000007200000.00000004.08000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  http://www.cefa-aviation.comCEFA-FAS_LicMgr.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.cefa-aviation.net/licensing/v2/check2.phpCEFA-FAS_LicMgr.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.cefa-aviation.net:443/licensing/v2/check2.php?nocoCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.000000000456B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://github.com/MahApps/MahApps.Metro.gitCEFA-FAS_LicMgr.exe, 00000000.00000002.2704512410.0000000006330000.00000004.08000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://www.nuget.org/packages/Newtonsoft.Json.BsonCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2741293290.0000000010560000.00000004.08000000.00040000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2689630962.0000000004E88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://foo/bar/controls/glowwindow.bamlTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://foo/bar/themes/glow.bamlCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000041C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.cefa-aviation.net/licensing/v2/Collect/collect.phpthttps://www.cefa-aviation.net/licensiCEFA-FAS_LicMgr.exefalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.cefa-aviation.net:443/licensing/v2/check2.php?nocollectTCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.000000000456B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.cefa-aviation.net/licensing/v2/2GyCEFA-FAS_LicMgr.exe, 00000000.00000002.2673252468.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, CEFA-FAS_LicMgr.exe, 00000000.00000002.2712632909.00000000072F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      128.65.195.89
                                                      		www.cefa-aviation.netSwitzerland
                                                      		29222INFOMANIAK-ASCHfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1583910
                                                      Start date and time:2025-01-03 21:09:20 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 10m 6s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                      Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                      Run name:Potential for more IOCs and behavior
                                                      Number of analysed new started processes analysed:31
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:CEFA-FAS_LicMgr.exe
                                                      Detection:MAL
                                                      Classification:mal48.evad.winEXE@16/8@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 86%
                                                      • Number of executed functions: 301
                                                      • Number of non-executed functions: 95
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 172.64.149.23, 104.18.38.233, 40.113.110.67, 52.149.20.212, 40.126.32.74, 20.223.36.55, 2.21.65.132, 40.126.32.76
                                                      • Excluded domains from analysis (whitelisted): www.bing.com, assets.msn.com, client.wns.windows.com, crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, fd.api.iris.microsoft.com, tse1.mm.bing.net, fe3cr.delivery.mp.microsoft.com, crt.comodoca.com, wns.notify.trafficmanager.net, otelrules.svc.static.microsoft, login.live.com, res.public.onecdn.static.microsoft
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                      • VT rate limit hit for: CEFA-FAS_LicMgr.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      15:10:23API Interceptor3995381x Sleep call for process: CEFA-FAS_LicMgr.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      INFOMANIAK-ASCHsEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                      • 83.166.133.91
                                                      ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                      • 83.166.133.91
                                                      Order No 24.exeGet hashmaliciousFormBookBrowse
                                                      • 128.65.195.180
                                                      RFQ.exeGet hashmaliciousFormBookBrowse
                                                      • 128.65.195.180
                                                      statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                      • 128.65.195.180
                                                      RFQ.exeGet hashmaliciousFormBookBrowse
                                                      • 128.65.195.180
                                                      RFQ.exeGet hashmaliciousFormBookBrowse
                                                      • 128.65.195.180
                                                      XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                      • 128.65.195.180
                                                      https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                      • 128.65.195.91

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      6a5d235ee78c6aede6a61448b4e9ff1ehttp://4.lkx91.michaelhuegel.com/news?q=IP%20provider%20is%20blacklisted!%20MICROSOFT-CORP-MSN-AS-BLOCKGet hashmaliciousUnknownBrowse
                                                      • 128.65.195.89
                                                      http://usps.com-trackaddn.top/lGet hashmaliciousUnknownBrowse
                                                      • 128.65.195.89
                                                      MJhe4xWsnR.msiGet hashmaliciousUnknownBrowse
                                                      • 128.65.195.89
                                                      https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
                                                      • 128.65.195.89
                                                      http://poubnxu3jubz.top/1.phpGet hashmaliciousUnknownBrowse
                                                      • 128.65.195.89
                                                      http://kiesermedicalcorporation.com/mklakdjhfhm/yftguihjo/anRvcnRvcmljaUBiaWdnZS5jb20=Get hashmaliciousUnknownBrowse
                                                      • 128.65.195.89
                                                      https://sites.google.com/kula.ai/rdps/homeGet hashmaliciousHTMLPhisherBrowse
                                                      • 128.65.195.89
                                                      Ball - Temp.data for GCMs.docGet hashmaliciousHTMLPhisherBrowse
                                                      • 128.65.195.89
                                                      EXTERNALRe.msgGet hashmaliciousUnknownBrowse
                                                      • 128.65.195.89
                                                      https://workflowspace.m-pages.com/8wJEXg/lee-cpa-audit-groupGet hashmaliciousUnknownBrowse
                                                      • 128.65.195.89

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\mntemp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):16
                                                      Entropy (8bit):3.875
                                                      Encrypted:false
                                                      SSDEEP:3:mwttY:mwttY
                                                      MD5:64B7439B13B9532C206108A209DF3B9A
                                                      SHA1:AEC43561A4A5BAF6E1A38F8B53DEDAD5983C458A
                                                      SHA-256:C04EB2B64466B34865750F29AA9CD35D6B6D51EB493A2293A4A442273798B23D
                                                      SHA-512:02B54F5A19B964FC587C9600B32785D7342FCAE1E53D2C930EBB6C3C0799DBEFCF2DD067DFF9FE018ECB68A74C4549BD348534D165EF9DBE7A11B69294C54114
                                                      Malicious:false
                                                      Preview:.^n..v..o#....

                                                      C:\Users\user\AppData\Local\Temp\20250103_152659_ewmgb3efq5krcg32_172892.info

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                      Category:dropped
                                                      Size (bytes):9131
                                                      Entropy (8bit):7.8633014370037015
                                                      Encrypted:false
                                                      SSDEEP:192:zbzKe9CdbAq/VXBmT4j5jMReNrtt4NPqsNZeZZfzRrgp:zKewdbAwpMT2l+PqsNOFMp
                                                      MD5:916B2E78EECD192854992023D6065BB9
                                                      SHA1:B55E11CE3E9F552630C7A6DFC5A6DA8FBC325799
                                                      SHA-256:ADE6A367299B5C9C5161F4E945913110D6832A9CCD16318FACE6E3CF7DF536D8
                                                      SHA-512:616DBA7D1589D3A8869FC8F5CBDA9E8B407B0141473B85F62B4719B564BAC7ABA690B17AA3ABCE2E3CDCF5EF26D3C2B7E50F86CB6DAD0DF14E53B65F182A7D6A
                                                      Malicious:false
                                                      Preview:PK........]{#Z.#K.."......,...20250103_152659_ewmgb3efq5krcg32_172892.info.ko.\.......( .....'`B......v..~..`.<.......y.+.1.u..G..$..I..Z.8...h3..i....$?...n......Yu2.......v.7Ec.T..%.$.Jf4.s...^:..%.*o...j.......b.../..6;...gG.j...(..2..../.O..`....I..y+97..gD4.G....(....3......D...2.._..Q.;&.Xd.[......HV.....r.=8.^...U.VJZ..e.ZhW.I...S..X;[......7"4'n.........M.H6.4F.$AJ.......x..>.[.=*R..S...e^.H.:s7..V..]M9....t.V..9N.I.h...x.Z..]K....h%.....f`F..C.~..:..=..........2.mm.`:.`.......%...........].X...(....ug9...U..19N...<s6...|.1\.......p...Xz ..$/vWS.^.NS...0vO..U9.....g@m_|............$..V...<..%.R.e[.......}N........+HJ&.+.).....(.....:u_Q/.&N.....!.Ri(.M.]..B.D.GQ..V...T...}.-.xw...,3......w.......2..jc.j.l..:.....J......7.o.#1..2U.....V......k.F..d"...|...0.L...KG......>.'...:sn..-8m......o_...9.:du....4....m.< .$.e.5....A..?.**..t............v2.\.+F.HN....aL.(..R...C~W7L.Oo.....G@.~~...J9......M......{....E^.....Vx.$.NQ}..{.y...R..

                                                      C:\Users\user\AppData\Local\Temp\eryw1g5z712yemrma2p4tsgpy61k2z4d\5fwj6cbqtb8e3q5qn4nj1ywqsp3rmcws

                                                      Download File
                                                      Process:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):58
                                                      Entropy (8bit):5.556088322639176
                                                      Encrypted:false
                                                      SSDEEP:3:9DnPVZNWDHhpNn:lZ0hpNn
                                                      MD5:CE52F69731A8AE23DD1E023FA4174B58
                                                      SHA1:A6F33E849D0173568F4AD8A878FB5BE38DDFB507
                                                      SHA-256:B322A7A22985EC25FDB8CD5BB57A2C4B3E1F41CEF2223C93A0271F632482423F
                                                      SHA-512:22E977429FDEC23FF63344133A27BEB7950F0CF53031AC38154E789F241646AF31A6301A371F4E9FEE77A1EA94EF72D0D312EE73C2932DCBA4C53BCBB66526CE
                                                      Malicious:false
                                                      Preview:.es...p..*._.1.._...".......o1...U.y;...].....P.:._.q/.

                                                      C:\Users\user\AppData\Local\Temp\eryw1g5z712yemrma2p4tsgpy61k2z4d\radpewyc8xtfdp3xygg6ta6s7qz3mhju

                                                      Download File
                                                      Process:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):77
                                                      Entropy (8bit):5.321410079403068
                                                      Encrypted:false
                                                      SSDEEP:3:qcd1G+6AJNaLSkzjpGNLHdK:qKxmSkIK
                                                      MD5:62E9DECA48C2DEC767AC9C9C67CC9718
                                                      SHA1:88FEA22BED64E77A2C24A5C01E71CEB4B75F342A
                                                      SHA-256:5455C94709A4C6CD46D1393BFB0F9E09EFFB65DA3BCE74C1D2F0176A70F40003
                                                      SHA-512:DEFFD146A88599B5BAD7822D06B0F7A306743128F3F1D2C6728FE3C0DB97747320CAC8CFF7E115C0F15F93C086AF9AD70C96FAAF739FC401BA7FFE6B6EC9AF68
                                                      Malicious:false
                                                      Preview:..;.b./6..sRvM...S5....RVA....S.e.F...0Uty..7..sRvM...S..;.b./6..sRvM..

                                                      C:\Users\user\AppData\Local\Temp\tmp7DEA.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      File Type:ASCII text
                                                      Category:modified
                                                      Size (bytes):36
                                                      Entropy (8bit):3.993132557647859
                                                      Encrypted:false
                                                      SSDEEP:3:fOS6CPe/pERqxn:2YeRAw
                                                      MD5:C02ABAA6F2738333504DE8AD12C38A03
                                                      SHA1:5653046C92190DAA0BAFCE08D3BD877A5B65FA67
                                                      SHA-256:52F2F7DA4A0F94A3F80C1C68EAB10AE5EB684ACBD4F98976BF26D1794DD2270B
                                                      SHA-512:6950B82D01CDC905F015B86235709A47597955021094A7E44155ADF4CDAEE70EB9B3DD0DD91CA60D8AFDC47DFEDFD77201760884A1600292D8F36E892ECA6043
                                                      Malicious:false
                                                      Preview:. . ..sw_lic=.cust_name=!!! Unknown

                                                      C:\Users\user\Desktop\LicUtils.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3805704
                                                      Entropy (8bit):7.950767661509388
                                                      Encrypted:false
                                                      SSDEEP:98304:O9+TGGhFtHj8Jt1m+Ld8VXWzktwD69a9t:O9YJFx4D1mK8dWSwH
                                                      MD5:21521E3382911BA09BF032A9813C8EC4
                                                      SHA1:623F3269AA5B707FF4E682EBEA7EACCA3184E6C0
                                                      SHA-256:7CA6A600E86CE8827B29B509A3A80FFBAF05495E249B22A6E6B054E3FB1FA2D6
                                                      SHA-512:9192DCDA2AD8CD5A2F84ABE3C8609C16EC72740D998F277CEB5CA73A10C4E41A350E66B475977D0CADC0BE9B700E6F6F597694A2549B882BD3CC1A449E58365E
                                                      Malicious:false
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........afc...0...0...0.x.0...0...1...0...1...0...1...0...1...0.x.1...0...0T..0:..1...0:..1...0:..0...0...0...0:..1...0Rich...0................PE..L....vDf...........!...'.X...h......X.Y......p........................................;.........................................L.... ................9..(.......................................................................................... .V.......................... ..` .E...p......................@..@ ............................@... ............................@..@ 0...........................@..B.edata..............................@..@.idata..............................@....rsrc........ ......................@..@.winlice..W..0......................`....boot.....9...Y...9.................`..`........................................................................................

                                                      C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):357552
                                                      Entropy (8bit):7.983173539023454
                                                      Encrypted:false
                                                      SSDEEP:6144:jVmUPZkmvcJ2L1f1ZhQi5o8qPli+Qtc1gIH/eVUhDMtKf:jVm/upNWiSPlJQe/2VUhsKf
                                                      MD5:FD01EB714D43DB949B2B0C45EC211833
                                                      SHA1:CDC4D63BF5375D2D672EE0E6A51B28643063211A
                                                      SHA-256:AC3982A3E6815EB39D2C8CA45F5EB80A9F116EE955C60CB45ACEB8018118E114
                                                      SHA-512:A9CDFDDE37B5FF306E9F335C49BB920D2AD62175EE8B6346419818310834717D57576BAFFAE457C2C19EDC5092032DA7700AD3E8488BBAA57F191D1E23B43C19
                                                      Malicious:true
                                                      Preview:MZ......................@...................................@...PE..L...31.f...............)............D.............@.................................4B....@.................`L...............".......0...............L...(...$.......4...............................................................................text.... .......................... ....res.....P...0...................... ...........................................................................................................................U..E.SV.....t....t..u..H...~1.E.+.....@Nu..!.u.@VP.7......u.3.9E.~..40.@;E.|.^[]...$.U..QVW.......u.....@..E.3.P.E.WPh........@.PWh.1......@.j0.5`.@..u..u.W..9}.t.j0.u..u.W..W....@......_^..SV3.WV.t$.Vh@...Vj.....@...;.t.VVVh....S....@.S......@.;.u.j@h.....t$.V....@...;.u.V.0.@.VPPh.....0........_^[..V.5 .@.h.@...t$..t$...h....j..t$...^.U....W........@..x..}..O.........SV...@..w..@..........U....u...R..0.@..u...,.@.3.E.;.u.RRR.u.j........3.3.9.t.....A9.u..E.P.....j@PV..(.@..

                                                      C:\Windows\win.ini

                                                      Download File
                                                      Process:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      File Type:Generic INItialization configuration [extensions]
                                                      Category:modified
                                                      Size (bytes):415
                                                      Entropy (8bit):5.2815773850498795
                                                      Encrypted:false
                                                      SSDEEP:12:F4Yv65RFN0dkQFyHxV6PaQFQsyFNLU1C6vn:F3030ajRcPFoNg1fvn
                                                      MD5:8E5FD33FAD63139DBE46B10A8B1AF8DB
                                                      SHA1:DBFAC4073DA5E80E1A66F31628AF0540C71071B0
                                                      SHA-256:9B4A525F087D24170BD5243306BB0CFD5FED89A1C28261BB50173734D20ECB93
                                                      SHA-512:781BF126D000A9A26777901CE259AEBE15C6CD9A15D9F375D8ED34A345ED1DE5E55AD194EB99A02F20C5AABE3C564AEA5A88820AD2218BAEEC4C8DDCDF39CC4E
                                                      Malicious:false
                                                      Preview:; for 16-bit app support..[fonts]..[extensions]..[mci extensions]..[files]..[Mail]..MAPI=1..[hax7y3e6tesc2j5waudm65u79p7ts13n]..vhhednnpn9ykay19dtdrm8eaepfgwj2t=gg8fu9gpwc23vepucgqyvnazr1ypqy453211115pdkazegvtpp1xv7smx48rhgu3zda3duyvb9z1enwpf5g3x4hjp43p7..nxgnd6z3ev1y53n5zqyy65jc36syx1hy=cuep4mn5vdsq5bwzybd8rrvndrftrwh7p21111w5cphck9kw1hu5rgtjkngfqmxxbu2ma52n1wg1tb9zybd8rrvndrftrwh7cuep4mn5vdsq5bwzybd8rrvndrf2..

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.873151994999119
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:CEFA-FAS_LicMgr.exe
                                                      File size:8'240'656 bytes
                                                      MD5:2210b6af1d0e46c80f4befbe4bdbf137
                                                      SHA1:76ad9f496ed9501c5ddc1a350c843e52d9e708b7
                                                      SHA256:f4a51197a7cc6b5251530f66c1d9792333bfe0db34e1acb78c3848f55fad0725
                                                      SHA512:2f490dca01b24b681e962738106dc574aaf3f917d852f53a02c110339ad081e391c6e8a3a7183dfca068e28df9755c2887ef38560d7c154114bb45dd0c9e4cbb
                                                      SSDEEP:196608:I3w3v3o3f9YJFx4D1mK8dWSwmmPI49KXkSImBR:I3w3v3o3qoD1mKKWSw+oKXkS9B
                                                      TLSH:C886014DE30A5A7EC7D2473C79D8E8A05A503CEDFF1240E2D7973114B6B863A4A7D862
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."...0...y...........}...... ....@.. ........................~.......~...`................................

                                                      File Icon

                                                      Icon Hash:3399f16268495133

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0xbdc00a
                                                      Entrypoint Section:
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0xFA5DD9BB [Fri Feb 9 08:56:27 2103 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Authenticode Signature

                                                      Signature Valid:true
                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                      Signature Validation Error:The operation completed successfully
                                                      Error Number:0
                                                      Not Before, Not After
                                                      • 03/08/2023 02:00:00 30/10/2026 00:59:59
                                                      Subject Chain
                                                      • CN=CEFA Aviation SAS, O=CEFA Aviation SAS, L=COLMAR, C=FR
                                                      Version:3
                                                      Thumbprint MD5:9FE0AD8136AC0B47BEDD45EF6709B46E
                                                      Thumbprint SHA-1:B929814942311922BB83EBAB3DF2863D0CB8F7E4
                                                      Thumbprint SHA-256:A015BA6DA33428CAE5C041DE95CB34F5C8BA37630BE4F050A427B4AA5F912F8E
                                                      Serial:0DF9C510F05C097CF8A3825181CDCECB

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00BDC000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc43c0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a80000x33656.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x7d96000x2810
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7de0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x7dc0000x8
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xa0000x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      mlZz|40x20000x79b00x7a0085db902abbc8cc4a448213e61903f421False1.0005122950819672data7.993807913628257IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .text0xa0000x79dbd50x79dc00457f450716b60122bf20684c7aed38a3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x7a80000x336560x33800db88a947c904025979955882104af56eFalse0.1266923922936893data3.841529864702974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      0x7dc0000x100x2003133e70da7d95e5f3b262aae78a77125False0.044921875data0.12227588125913882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .reloc0x7de0000xc0x200c510f2682e93d843444071934d8980f8False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x7a83a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.2537313432835821
                                                      RT_ICON0x7a92480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.3231046931407942
                                                      RT_ICON0x7a9af00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.543778801843318
                                                      RT_ICON0x7aa1b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3063583815028902
                                                      RT_ICON0x7aa7200x29c3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9801702366476476
                                                      RT_ICON0x7ad0e40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.044451673961907016
                                                      RT_ICON0x7bd90c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.05878179524910658
                                                      RT_ICON0x7c6db40x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.06988721804511278
                                                      RT_ICON0x7cd59c0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.07869685767097967
                                                      RT_ICON0x7d2a240x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.08880491261218705
                                                      RT_ICON0x7d6c4c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.11701244813278008
                                                      RT_ICON0x7d91f40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.18363039399624764
                                                      RT_ICON0x7da29c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.25163934426229506
                                                      RT_ICON0x7dac240x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.36613475177304966
                                                      RT_GROUP_ICON0x7db08c0xcadata0.6534653465346535
                                                      RT_VERSION0x7db1580x312data0.44147582697201015
                                                      RT_MANIFEST0x7db46c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-01-03T21:10:29.098670+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2561953128.65.195.89443TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 3, 2025 21:10:25.011452913 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:25.011491060 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:25.011938095 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:25.025885105 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:25.025909901 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:25.740693092 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:25.740792990 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:25.740818977 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:25.740988970 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:25.748915911 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:25.748950005 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:25.749285936 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:25.767136097 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:25.811342955 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:26.040221930 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:26.040321112 CET44361950128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:26.041053057 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:26.045619011 CET61950443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:26.600704908 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:26.600760937 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:26.600828886 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:26.601167917 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:26.601178885 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.359148979 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.360784054 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.360817909 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.685986042 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.686664104 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.686700106 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.686781883 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.686794043 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.686952114 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.686955929 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.899353981 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.899429083 CET44361951128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.899718046 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.907423019 CET61951443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.908268929 CET61953443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.908312082 CET44361953128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:27.908407927 CET61953443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.908638954 CET61953443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:27.908648968 CET44361953128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:28.594172001 CET44361953128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:28.595721006 CET61953443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:10:28.595727921 CET44361953128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:29.098725080 CET44361953128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:29.098833084 CET44361953128.65.195.89192.168.2.25
                                                      Jan 3, 2025 21:10:29.098900080 CET61953443192.168.2.25128.65.195.89
                                                      Jan 3, 2025 21:12:09.115662098 CET61953443192.168.2.25128.65.195.89

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 3, 2025 21:10:24.942394018 CET6274553192.168.2.251.1.1.1
                                                      Jan 3, 2025 21:10:24.979069948 CET53627451.1.1.1192.168.2.25

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 3, 2025 21:10:24.942394018 CET192.168.2.251.1.1.10xf448Standard query (0)www.cefa-aviation.netA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 3, 2025 21:10:24.979069948 CET1.1.1.1192.168.2.250xf448No error (0)www.cefa-aviation.net128.65.195.89A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.cefa-aviation.net

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.2561950128.65.195.894436344C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-03 20:10:25 UTC146OUTGET /licensing/v2/check2.php?nocollect HTTP/1.1
                                                      User-Agent: CEFA FAS S2 Licenses Manager
                                                      Host: www.cefa-aviation.net
                                                      Connection: Keep-Alive
                                                      2025-01-03 20:10:26 UTC242INHTTP/1.1 200 OK
                                                      date: Fri, 03 Jan 2025 20:10:25 GMT
                                                      server: Apache
                                                      strict-transport-security: max-age=16000000
                                                      upgrade: h2
                                                      connection: Upgrade
                                                      vary: Accept-Encoding
                                                      transfer-encoding: chunked
                                                      content-type: text/html; charset=UTF-8
                                                      2025-01-03 20:10:26 UTC66INData Raw: 33 43 0d 0a 0a 20 0a 20 0a 43 45 46 41 20 46 41 53 20 53 32 20 4c 69 63 65 6e 73 65 73 20 4d 61 6e 61 67 65 72 0a 6c 69 63 6d 61 6e 61 67 65 72 5f 76 65 72 73 69 6f 6e 3d 32 2e 30 2e 30 2e 30 0d 0a
                                                      Data Ascii: 3C CEFA FAS S2 Licenses Managerlicmanager_version=2.0.0.0
                                                      2025-01-03 20:10:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.2561951128.65.195.894436344C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-03 20:10:27 UTC248OUTPOST /licensing/v2/Collect/collect.php HTTP/1.1
                                                      Content-Type: multipart/form-data; boundary=---------------------8dd2c0b1097d770
                                                      User-Agent: CEFA FAS S2 Licenses Manager
                                                      Host: www.cefa-aviation.net
                                                      Content-Length: 9359
                                                      Expect: 100-continue
                                                      2025-01-03 20:10:27 UTC25INHTTP/1.1 100 Continue
                                                      2025-01-03 20:10:27 UTC184OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 63 30 62 31 30 39 37 64 37 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 32 30 32 35 30 31 30 33 5f 31 35 32 36 35 39 5f 65 77 6d 67 62 33 65 66 71 35 6b 72 63 67 33 32 5f 31 37 32 38 39 32 2e 69 6e 66 6f 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a
                                                      Data Ascii: -----------------------8dd2c0b1097d770Content-Disposition: form-data; name="file"; filename="20250103_152659_ewmgb3efq5krcg32_172892.info"Content-Type: application/octet-stream
                                                      2025-01-03 20:10:27 UTC8192OUTData Raw: 50 4b 03 04 14 00 00 00 08 00 5d 7b 23 5a cb 23 4b 8b f1 22 00 00 d0 1d 01 00 2c 00 00 00 32 30 32 35 30 31 30 33 5f 31 35 32 36 35 39 5f 65 77 6d 67 62 33 65 66 71 35 6b 72 63 67 33 32 5f 31 37 32 38 39 32 2e 69 6e 66 6f ed 9d 6b 6f aa 5c b4 b6 ff 8a c4 aa 15 0d 28 20 d8 8f ad e7 03 88 27 60 42 d4 80 05 05 05 b4 d6 76 b5 1e 7e fb 9e 60 db b5 3c f4 c9 fb 92 9d ec 84 f0 79 06 2b 8c 31 c7 75 df 03 47 a7 a1 24 d7 0e 49 9a d3 5a aa 38 ab ec a9 ce 68 33 b3 07 69 07 cf 8f d7 c7 24 3f 93 16 8c 6e b3 1c 03 86 b5 e1 b3 92 59 75 32 e9 91 0a b0 c5 ae 8f 0e a8 76 a2 37 45 63 a4 54 9c 0c 25 a2 24 0b 4a 66 34 cb 73 8f 98 01 5e 3a 02 d2 25 b2 2a 6f d1 8c 8b c8 6a 8c fd 84 7f e3 89 d9 ee 94 96 62 83 86 83 2f d1 d4 36 3b e6 8d dc b8 9a 67 47 84 6a 7f 08 e2 28 97 e2 32 1d
                                                      Data Ascii: PK]{#Z#K",20250103_152659_ewmgb3efq5krcg32_172892.infoko\( '`Bv~`<y+1uG$IZ8h3i$?nYu2v7EcT%$Jf4s^:%*ojb/6;gGj(2
                                                      2025-01-03 20:10:27 UTC939OUTData Raw: 5e 7e 3c 93 41 f9 81 45 fc 08 2d 3f ca 41 f9 b1 8a f8 11 5a 7e 98 41 f9 91 8b 7e 7f 15 5a 7e e8 41 7f 7f 65 36 22 7e 84 95 1f 6f f9 80 fc f0 e7 d3 23 7e 84 92 1f 0c 13 90 1f 5b 10 f9 8f b0 f2 83 9c 06 f5 1f 1f 74 c4 8f d0 f2 e3 2e 28 3f ee 23 7e 84 96 1f 7a 50 7e c8 91 ff 08 2d 3f 9e 83 fa 8f 8f 74 c4 8f d0 f2 e3 10 94 1f 6e c4 8f d0 f2 63 1e 98 1f d1 fc 47 68 f9 a1 07 fd fd d5 47 25 e2 47 68 f9 d1 0e ca 8f 68 fe 3c b4 fc 40 82 ce 9f 0b d1 fc 79 68 f9 b1 0f 3a 7f 5e 2e 45 f3 e7 61 e5 87 f6 19 74 fe 3c 19 cd 9f 87 97 1f 41 e7 cf 85 68 fe 3c bc fc 08 3a 7f 5e 2e 45 f3 e7 e1 e5 47 d0 f9 f3 64 34 7f 1e 5e 7e 04 9d 3f 17 a2 f9 f3 10 f3 23 e0 fc 47 b9 14 cd 9f 87 97 1f 41 e7 cf 93 d1 fc 79 78 f9 11 74 fe 5c 88 e6 cf 43 cb 8f 63 d0 f9 f3 72 3f 9a 3f 0f 2d 3f f8
                                                      Data Ascii: ^~<AE-?AZ~A~Z~Ae6"~o#~[t.(?#~zP~-?tncGhG%Ghh<@yh:^.Eat<Ah<:^.EGd4^~?#GAyxt\Ccr??-?
                                                      2025-01-03 20:10:27 UTC44OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 63 30 62 31 30 39 37 64 37 37 30 2d 2d 0d 0a
                                                      Data Ascii: -----------------------8dd2c0b1097d770--
                                                      2025-01-03 20:10:27 UTC247INHTTP/1.1 200 OK
                                                      date: Fri, 03 Jan 2025 20:10:27 GMT
                                                      server: Apache
                                                      strict-transport-security: max-age=16000000
                                                      upgrade: h2
                                                      connection: Upgrade
                                                      vary: Accept-Encoding
                                                      transfer-encoding: chunked
                                                      content-type: text/html; charset=UTF-8
                                                      0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.2561953128.65.195.894436344C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-03 20:10:28 UTC290OUTGET /licensing/v2/check2.php?mcid=ewmgb3efq5krcg32&mcname=172892&fprt=4227B69D-C8E9-B57D-58FC-5F4EDD2F6621_qgklap-42%2027%20b6%209d%20c8%20e9%20b5%207d-58%20fc%205f%204e%20dd%202f%2066%2021&vsc=0&ver=2.0.14 HTTP/1.1
                                                      User-Agent: CEFA FAS S2 Licenses Manager
                                                      Host: www.cefa-aviation.net
                                                      2025-01-03 20:10:29 UTC323INHTTP/1.1 200 OK
                                                      date: Fri, 03 Jan 2025 20:10:28 GMT
                                                      server: Apache
                                                      content-disposition: attachment; filename=file.txt
                                                      expires: 0
                                                      cache-control: must-revalidate
                                                      pragma: public
                                                      strict-transport-security: max-age=16000000
                                                      upgrade: h2
                                                      connection: Upgrade
                                                      content-length: 36
                                                      content-type: application/octet-stream
                                                      2025-01-03 20:10:29 UTC36INData Raw: 0a 20 0a 20 0a 0a 73 77 5f 6c 69 63 3d 0a 63 75 73 74 5f 6e 61 6d 65 3d 21 21 21 20 55 6e 6b 6e 6f 77 6e 20
                                                      Data Ascii: sw_lic=cust_name=!!! Unknown


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:15:10:18
                                                      Start date:03/01/2025
                                                      Path:C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\CEFA-FAS_LicMgr.exe"
                                                      Imagebase:0xc50000
                                                      File size:8'240'656 bytes
                                                      MD5 hash:2210B6AF1D0E46C80F4BEFBE4BDBF137
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1375964616.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2673252468.0000000003851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:1
                                                      Start time:15:10:21
                                                      Start date:03/01/2025
                                                      Path:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -currentkey
                                                      Imagebase:0x200000
                                                      File size:357'552 bytes
                                                      MD5 hash:FD01EB714D43DB949B2B0C45EC211833
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:15:10:21
                                                      Start date:03/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c7360000
                                                      File size:1'040'384 bytes
                                                      MD5 hash:9698384842DA735D80D278A427A229AB
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:15:10:21
                                                      Start date:03/01/2025
                                                      Path:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -macid
                                                      Imagebase:0x200000
                                                      File size:357'552 bytes
                                                      MD5 hash:FD01EB714D43DB949B2B0C45EC211833
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:15:10:21
                                                      Start date:03/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c7360000
                                                      File size:1'040'384 bytes
                                                      MD5 hash:9698384842DA735D80D278A427A229AB
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:15:10:22
                                                      Start date:03/01/2025
                                                      Path:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expireddate
                                                      Imagebase:0x200000
                                                      File size:357'552 bytes
                                                      MD5 hash:FD01EB714D43DB949B2B0C45EC211833
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:15:10:22
                                                      Start date:03/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c7360000
                                                      File size:1'040'384 bytes
                                                      MD5 hash:9698384842DA735D80D278A427A229AB
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:15:10:22
                                                      Start date:03/01/2025
                                                      Path:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -expired
                                                      Imagebase:0x200000
                                                      File size:357'552 bytes
                                                      MD5 hash:FD01EB714D43DB949B2B0C45EC211833
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:15:10:22
                                                      Start date:03/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c7360000
                                                      File size:1'040'384 bytes
                                                      MD5 hash:9698384842DA735D80D278A427A229AB
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:15:10:22
                                                      Start date:03/01/2025
                                                      Path:C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\bin\CEFA-FAS_LicThsUtils.exe" -licinfo
                                                      Imagebase:0x200000
                                                      File size:357'552 bytes
                                                      MD5 hash:FD01EB714D43DB949B2B0C45EC211833
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:15:10:23
                                                      Start date:03/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c7360000
                                                      File size:1'040'384 bytes
                                                      MD5 hash:9698384842DA735D80D278A427A229AB
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:10.7%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:16.9%
                                                        Total number of Nodes:118
                                                        Total number of Limit Nodes:10
                                                        execution_graph 43682 1ebb5e8 43683 1ebb630 VirtualProtect 43682->43683 43684 1ebb66a 43683->43684 43732 d17e670 43733 d17e6af 43732->43733 43736 110f0010 GetSystemFirmwareTable 752DF690 43733->43736 43734 d17e6ce 43737 110f003d GetSystemFirmwareTable 43736->43737 43738 110f006b 43736->43738 43741 110eeec0 43737->43741 43738->43734 43747 110eeed8 43741->43747 43746 110eef90 752E3E90 43746->43746 43746->43747 43747->43746 43748 110ef087 43747->43748 43749 110ed600 752E3E90 752E3E90 43747->43749 43750 110eda30 752E3E90 752E3E90 752E3E90 752E3E90 752E3E90 43747->43750 43751 110ee9e0 752E3E90 752E3E90 752E3E90 43747->43751 43752 110ee3f0 752E3E90 752E3E90 752E3E90 752E3E90 43747->43752 43748->43734 43749->43747 43750->43747 43751->43747 43752->43747 43716 d17184d 43719 d1717d6 43716->43719 43719->43716 43721 d172743 43719->43721 43725 d172838 43719->43725 43728 d172640 43719->43728 43722 d17274c 43721->43722 43723 d1712c8 KiUserCallbackDispatcher 43722->43723 43724 d17279b 43722->43724 43723->43724 43724->43719 43726 d1712c8 KiUserCallbackDispatcher 43725->43726 43727 d172860 43726->43727 43727->43719 43729 d172645 43728->43729 43729->43719 43730 d1712c8 KiUserCallbackDispatcher 43729->43730 43731 d17279b 43729->43731 43730->43731 43731->43719 43753 d1795fa 43754 d17963b 43753->43754 43756 d179857 43753->43756 43757 d1797ca 43756->43757 43760 d17edd2 43756->43760 43765 d17eb2a 43756->43765 43757->43757 43761 d17edd6 43760->43761 43770 d17f880 43761->43770 43775 d17f86f 43761->43775 43762 d17f329 43766 d17ec80 43765->43766 43768 d17f880 7 API calls 43766->43768 43769 d17f86f 7 API calls 43766->43769 43767 d17f329 43768->43767 43769->43767 43772 d17f883 43770->43772 43771 d17f95e 43771->43762 43772->43771 43780 11c91aa1 43772->43780 43785 11c91ab4 43772->43785 43777 d17f880 43775->43777 43776 d17f95e 43776->43762 43777->43776 43778 11c91aa1 7 API calls 43777->43778 43779 11c91ab4 7 API calls 43777->43779 43778->43776 43779->43776 43781 11c91ab5 43780->43781 43790 11c93c95 43781->43790 43798 11c93ca4 43781->43798 43782 11c91bab 43786 11c91ab5 43785->43786 43788 11c93c95 7 API calls 43786->43788 43789 11c93ca4 7 API calls 43786->43789 43787 11c91bab 43788->43787 43789->43787 43792 11c93c9d 43790->43792 43791 11c94e0c 43791->43782 43792->43791 43806 11c93cb4 43792->43806 43794 11c94eab 43795 11c94e88 43795->43794 43796 11c93cb4 7 API calls 43795->43796 43797 11c94e81 43796->43797 43797->43782 43800 11c93caf 43798->43800 43799 11c94e0c 43799->43782 43800->43799 43801 11c93cb4 7 API calls 43800->43801 43803 11c94e88 43801->43803 43802 11c94eab 43803->43802 43804 11c93cb4 7 API calls 43803->43804 43805 11c94e81 43804->43805 43805->43782 43807 11c95090 43806->43807 43807->43807 43810 110f0330 43807->43810 43808 11c953b4 43811 110f036f 43810->43811 43822 110f043f 43810->43822 43823 110e2d20 43811->43823 43813 110f0383 43814 110ef950 688A7E30 688A7E30 752DF690 688A7E30 43813->43814 43815 110f03a3 43813->43815 43814->43815 43816 110f2ad0 6 API calls 43815->43816 43817 110f041f 43816->43817 43818 110f042b 43817->43818 43820 110f04c4 43817->43820 43819 110f2ad0 6 API calls 43818->43819 43819->43822 43821 110f2ad0 6 API calls 43820->43821 43821->43822 43822->43808 43824 110e2d50 43823->43824 43827 110e1790 688A7E30 Concurrency::cancel_current_task 43824->43827 43826 110e2e1a 43827->43826 43685 1ccd163 43686 1ccd18c 43685->43686 43687 1ccd1aa 43686->43687 43689 d170f38 43686->43689 43690 d170f47 43689->43690 43691 d1710b6 43690->43691 43694 d170f9a 43690->43694 43696 d17112a 43691->43696 43699 d170f38 2 API calls 43691->43699 43692 d17105c 43700 d1711f8 43692->43700 43693 d1710a7 43693->43686 43694->43692 43698 d170f38 2 API calls 43694->43698 43695 d171125 43695->43686 43696->43686 43698->43692 43699->43695 43701 d171218 43700->43701 43702 d171205 43700->43702 43701->43693 43702->43701 43707 d1712c8 43702->43707 43703 d17125e 43704 d17128f 43703->43704 43711 d68d7b1 43703->43711 43704->43693 43708 d1712db 43707->43708 43709 d1712fb KiUserCallbackDispatcher 43708->43709 43710 d171312 43708->43710 43709->43710 43710->43703 43712 d68d7cd SetWindowLongA 43711->43712 43713 d68d7c0 43711->43713 43715 d68d874 43712->43715 43713->43704 43715->43704

                                                        Executed Functions

                                                        Function 110F0330 Relevance: 3.9, Strings: 3, Instructions: 195COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 753 110f0330-110f0369 754 110f036f-110f0389 call 110e2d20 753->754 755 110f059d 753->755 761 110f038b-110f038d 754->761 762 110f03a3-110f03c9 call 110e2c00 call 110e2160 754->762 756 110f05a0-110f05bb call 110f409a 755->756 763 110f0390-110f0395 761->763 770 110f03cb-110f03d7 762->770 771 110f03f9-110f0425 call 110e2c00 call 110f2ad0 762->771 763->763 765 110f0397-110f039e call 110ef950 763->765 765->762 772 110f03ef-110f03f6 call 110f40a8 770->772 773 110f03d9-110f03e7 770->773 781 110f042b-110f043a call 110e2c00 call 110f2ad0 771->781 782 110f04c4-110f04f5 call 110e2c00 call 110f2ad0 771->782 772->771 773->772 775 110f03e9 773->775 775->772 788 110f043f-110f0448 781->788 800 110f051f-110f0537 782->800 801 110f04f7-110f0503 782->801 790 110f044a-110f0456 788->790 791 110f0476-110f048e 788->791 793 110f046c-110f0473 call 110f40a8 790->793 794 110f0458-110f0466 790->794 796 110f04bc-110f04bf 791->796 797 110f0490-110f049c 791->797 793->791 794->793 798 110f0557 794->798 796->756 802 110f049e-110f04ac 797->802 803 110f04b2-110f04b9 call 110f40a8 797->803 810 110f055d-110f0564 call 110f40a8 798->810 807 110f0539-110f0545 800->807 808 110f0567-110f0569 800->808 805 110f0515-110f051c call 110f40a8 801->805 806 110f0505-110f0513 801->806 802->798 802->803 803->796 805->800 806->798 806->805 807->810 812 110f0547-110f0555 807->812 808->756 810->808 812->798 812->810
                                                        Strings
                                                        • Encrypt data : Message encryted, xrefs: 110F0410
                                                        • Encrypt data : Buffer size is too small - return required size, xrefs: 110F0430
                                                        • Encrypt data : Buffer filled, xrefs: 110F04E0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Encrypt data : Buffer filled$Encrypt data : Buffer size is too small - return required size$Encrypt data : Message encryted
                                                        • API String ID: 0-1245256417
                                                        • Opcode ID: 43ce5b5f5ea9128f7c264ad60b8c1d889d0a99375c58e8fd1eb691ab24197958
                                                        • Instruction ID: 644cce44388b3acd3ac7e6ee77efe296592d7a7666ef5ac15056ee0b4a5d38a1
                                                        • Opcode Fuzzy Hash: 43ce5b5f5ea9128f7c264ad60b8c1d889d0a99375c58e8fd1eb691ab24197958
                                                        • Instruction Fuzzy Hash: 5D610971D0010BDFDB08CB78CC9ABFEBB76EF44314F108258E512A7685DB74AA458BA1
                                                        Function 11C93CB4 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $Gfr
                                                        • API String ID: 0-4134379521
                                                        • Opcode ID: b8505f6eb473ad60f2940ce6d4a252a14f4e9c17a1d640b0729245fa8fd09513
                                                        • Instruction ID: 9a2f8445410b75771a8420d79b38b89247ad07287da559fdd87756f55ab3ba72
                                                        • Opcode Fuzzy Hash: b8505f6eb473ad60f2940ce6d4a252a14f4e9c17a1d640b0729245fa8fd09513
                                                        • Instruction Fuzzy Hash: 27D15F74E00649CFDB18CFA8C891B9EBBB1BF54304F14C0AAD859A7391DB74A985CF91
                                                        Function 11C95084 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $Gfr
                                                        • API String ID: 0-4134379521
                                                        • Opcode ID: 00529092349216376e6dcfa3b4845b86260e0a6bc74e11c4e3a9ab780e07ccad
                                                        • Instruction ID: 1b69782bacf4148b697e3ce7aac07fc72d35952db8d820901eb13f6b2db29a4d
                                                        • Opcode Fuzzy Hash: 00529092349216376e6dcfa3b4845b86260e0a6bc74e11c4e3a9ab780e07ccad
                                                        • Instruction Fuzzy Hash: 01D14D74E00659CFEB18CFA8C890B9DBBB1BF54304F14C0AAD859A7391DB74A985CF91
                                                        Function 0D681400 Relevance: .8, Instructions: 830COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e32ab925c9cecc140148549bfded8fdee8b51662826088e80f235f17635a5c85
                                                        • Instruction ID: 978d9834cd67250df2871fb63a2b2117ad102ca4e23369ac6ab794f5f4117f11
                                                        • Opcode Fuzzy Hash: e32ab925c9cecc140148549bfded8fdee8b51662826088e80f235f17635a5c85
                                                        • Instruction Fuzzy Hash: 12820471900258DFCB61DF64DD40AEEBBB2FB89300F0045EAD509AB290DB35AE94DF95
                                                        Function 0D681420 Relevance: .8, Instructions: 808COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e57b3abfc33b39fb8e1727c5ef356e9a5a4990fd4bb5b927ea8baab82cf8bf66
                                                        • Instruction ID: 37e63c8f6ceec1d93e4e803c1d8b66f665714145a2796180ee95b8a178d83d23
                                                        • Opcode Fuzzy Hash: e57b3abfc33b39fb8e1727c5ef356e9a5a4990fd4bb5b927ea8baab82cf8bf66
                                                        • Instruction Fuzzy Hash: 42820471900218DFCB61DF64DD40AEEBBB2FB99300F0045EAD509AB290DB35AE94DF95
                                                        Function 0D685638 Relevance: .7, Instructions: 746COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92797b267040d5003bbde3dbf117db09bcab4a56faac6f76deb89d00f38c98b1
                                                        • Instruction ID: b1ced84bc9fd8c54a917e0b6a5bba64718fac603b4993390531fa0f0f6afdeb5
                                                        • Opcode Fuzzy Hash: 92797b267040d5003bbde3dbf117db09bcab4a56faac6f76deb89d00f38c98b1
                                                        • Instruction Fuzzy Hash: 55721771900258DFDB55DF64D940AEDBBB6FF89300F0089EAD509AB250EB31AE94CF91
                                                        Function 0D685658 Relevance: .7, Instructions: 729COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 39ef7a553a148ea19f15dabe29aa2c0250058fa95009e515c98778df0a8f7d5b
                                                        • Instruction ID: 018d6d243900762e1e0704f508b48a590936162065b8ea2c6ca3d2e54d01e671
                                                        • Opcode Fuzzy Hash: 39ef7a553a148ea19f15dabe29aa2c0250058fa95009e515c98778df0a8f7d5b
                                                        • Instruction Fuzzy Hash: 1B721771900258DFDB55DF64D940AEDBBB6FF89300F0089EAD509AB250EB31AE94CF91
                                                        Function 0714C9E8 Relevance: 8.0, Strings: 6, Instructions: 516COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 167 714c9e8-714ca13 168 714ca15 167->168 169 714ca1a-714ca25 167->169 168->169 170 714ca27-714ca2d 169->170 171 714ca3d-714ca49 169->171 172 714ca31-714ca3b 170->172 173 714ca2f 170->173 175 714cb51-714cb5c 171->175 176 714ca4f-714ca5a 171->176 172->171 173->171 180 714cb63-714cb6e 175->180 181 714cb5e 175->181 178 714ca61-714ca6c 176->178 179 714ca5c 176->179 182 714ca84-714ca90 178->182 183 714ca6e-714ca74 178->183 179->178 184 714cb86-714cb92 180->184 185 714cb70-714cb76 180->185 181->180 182->175 195 714ca96-714caa1 182->195 186 714ca76 183->186 187 714ca78-714ca82 183->187 192 714cb94-714cb9f 184->192 193 714cbec-714cbf7 184->193 188 714cb78 185->188 189 714cb7a-714cb84 185->189 186->182 187->182 188->184 189->184 197 714cba6-714cbbd 192->197 198 714cba1 192->198 199 714cbfe-714cc27 193->199 200 714cbf9 193->200 201 714caa3 195->201 202 714caa8-714cabf 195->202 212 714cbd7-714cbe5 197->212 213 714cbbf-714cbc5 197->213 198->197 203 714cc3f-714cc8e 199->203 204 714cc29-714cc2f 199->204 200->199 201->202 210 714cac1-714cac7 202->210 211 714cad9-714caf1 202->211 214 714cc95-714ccac 203->214 215 714cc90 203->215 207 714cc31 204->207 208 714cc33-714cc3d 204->208 207->203 208->203 216 714cac9 210->216 217 714cacb-714cad7 210->217 211->175 232 714caf3-714cafe 211->232 212->193 218 714cbc7 213->218 219 714cbc9-714cbd5 213->219 225 714ccc6-714ccea 214->225 226 714ccae-714ccb4 214->226 215->214 216->211 217->211 218->212 219->212 237 714ccf6-714ce27 225->237 228 714ccb6 226->228 229 714ccb8-714ccc4 226->229 228->225 229->225 234 714cb05-714cb1c 232->234 235 714cb00 232->235 239 714cb36-714cb4a 234->239 240 714cb1e-714cb24 234->240 235->234 258 714ce2e-714ce39 237->258 259 714ce29 237->259 239->175 242 714cb26 240->242 243 714cb28-714cb34 240->243 242->239 243->239 260 714ce51-714ce69 258->260 261 714ce3b-714ce41 258->261 259->258 265 714ce70-714ce87 260->265 266 714ce6b 260->266 262 714ce45-714ce4f 261->262 263 714ce43 261->263 262->260 263->260 269 714cea1-714cf10 265->269 270 714ce89-714ce8f 265->270 266->265 281 714cf12-714cf18 269->281 282 714cf2a-714d16a 269->282 271 714ce91 270->271 272 714ce93-714ce9f 270->272 271->269 272->269 283 714cf1c-714cf28 281->283 284 714cf1a 281->284 283->282 284->282
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #iQk^$3iQk^$CiQk^$SiQk^$ciQk^$siQk^
                                                        • API String ID: 0-3151639283
                                                        • Opcode ID: f8fa2aa7e41eac3738ad02763a1c285cff1a36218b9b8b21295a52f61f87060a
                                                        • Instruction ID: 38d23b490ab724f05e1aebb8e02b5f59f249b3dc1d8d3c7e93cfb9a06d9dda2b
                                                        • Opcode Fuzzy Hash: f8fa2aa7e41eac3738ad02763a1c285cff1a36218b9b8b21295a52f61f87060a
                                                        • Instruction Fuzzy Hash: E8227E75B01217CBCB78DB28C95076E77B2BF85600F1189ADD909AB780EF34AD81DB91
                                                        Function 0714C9D7 Relevance: 8.0, Strings: 6, Instructions: 489COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 323 714c9d7-714c9d9 324 714ca30-714ca3a 323->324 325 714c9db-714ca13 323->325 326 714ca3d-714ca49 324->326 328 714ca15 325->328 329 714ca1a-714ca25 325->329 332 714cb51-714cb5c 326->332 333 714ca4f-714ca5a 326->333 328->329 329->326 331 714ca27-714ca2d 329->331 334 714ca31-714ca3b 331->334 335 714ca2f 331->335 338 714cb63-714cb6e 332->338 339 714cb5e 332->339 336 714ca61-714ca6c 333->336 337 714ca5c 333->337 334->326 335->326 341 714ca84-714ca90 336->341 342 714ca6e-714ca74 336->342 337->336 343 714cb86-714cb92 338->343 344 714cb70-714cb76 338->344 339->338 341->332 354 714ca96-714caa1 341->354 345 714ca76 342->345 346 714ca78-714ca82 342->346 351 714cb94-714cb9f 343->351 352 714cbec-714cbf7 343->352 347 714cb78 344->347 348 714cb7a-714cb84 344->348 345->341 346->341 347->343 348->343 356 714cba6-714cbbd 351->356 357 714cba1 351->357 358 714cbfe-714cc27 352->358 359 714cbf9 352->359 360 714caa3 354->360 361 714caa8-714cabf 354->361 371 714cbd7-714cbe5 356->371 372 714cbbf-714cbc5 356->372 357->356 362 714cc3f-714cc8e 358->362 363 714cc29-714cc2f 358->363 359->358 360->361 369 714cac1-714cac7 361->369 370 714cad9-714caf1 361->370 373 714cc95-714ccac 362->373 374 714cc90 362->374 366 714cc31 363->366 367 714cc33-714cc3d 363->367 366->362 367->362 375 714cac9 369->375 376 714cacb-714cad7 369->376 370->332 391 714caf3-714cafe 370->391 371->352 377 714cbc7 372->377 378 714cbc9-714cbd5 372->378 384 714ccc6-714ccea 373->384 385 714ccae-714ccb4 373->385 374->373 375->370 376->370 377->371 378->371 396 714ccf6-714ce27 384->396 387 714ccb6 385->387 388 714ccb8-714ccc4 385->388 387->384 388->384 393 714cb05-714cb1c 391->393 394 714cb00 391->394 398 714cb36-714cb4a 393->398 399 714cb1e-714cb24 393->399 394->393 417 714ce2e-714ce39 396->417 418 714ce29 396->418 398->332 401 714cb26 399->401 402 714cb28-714cb34 399->402 401->398 402->398 419 714ce51-714ce69 417->419 420 714ce3b-714ce41 417->420 418->417 424 714ce70-714ce87 419->424 425 714ce6b 419->425 421 714ce45-714ce4f 420->421 422 714ce43 420->422 421->419 422->419 428 714cea1-714cf10 424->428 429 714ce89-714ce8f 424->429 425->424 440 714cf12-714cf18 428->440 441 714cf2a-714d16a 428->441 430 714ce91 429->430 431 714ce93-714ce9f 429->431 430->428 431->428 442 714cf1c-714cf28 440->442 443 714cf1a 440->443 442->441 443->441
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #iQk^$3iQk^$CiQk^$SiQk^$ciQk^$siQk^
                                                        • API String ID: 0-3151639283
                                                        • Opcode ID: 50edce624d72b8af47c5feb1ed23610d4de19bc87bbd80362071a2568a11c982
                                                        • Instruction ID: 34ea03cb8cca2f9e99bb025275b44c225c47dbbf191ef31adf8f3b8218b82e8a
                                                        • Opcode Fuzzy Hash: 50edce624d72b8af47c5feb1ed23610d4de19bc87bbd80362071a2568a11c982
                                                        • Instruction Fuzzy Hash: EA129F75B01217CBCB39DF24C950B6EB7B2BF85600F1545ADC909AB780EB34AD81DB91
                                                        Function 0714CB4C Relevance: 7.9, Strings: 6, Instructions: 387COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 482 714cb4c-714cb5c 484 714cb63-714cb6e 482->484 485 714cb5e 482->485 486 714cb86-714cb92 484->486 487 714cb70-714cb76 484->487 485->484 491 714cb94-714cb9f 486->491 492 714cbec-714cbf7 486->492 488 714cb78 487->488 489 714cb7a-714cb84 487->489 488->486 489->486 494 714cba6-714cbbd 491->494 495 714cba1 491->495 496 714cbfe-714cc27 492->496 497 714cbf9 492->497 504 714cbd7-714cbe5 494->504 505 714cbbf-714cbc5 494->505 495->494 498 714cc3f-714cc8e 496->498 499 714cc29-714cc2f 496->499 497->496 506 714cc95-714ccac 498->506 507 714cc90 498->507 501 714cc31 499->501 502 714cc33-714cc3d 499->502 501->498 502->498 504->492 508 714cbc7 505->508 509 714cbc9-714cbd5 505->509 513 714ccc6-714ccea 506->513 514 714ccae-714ccb4 506->514 507->506 508->504 509->504 520 714ccf6-714ce27 513->520 515 714ccb6 514->515 516 714ccb8-714ccc4 514->516 515->513 516->513 534 714ce2e-714ce39 520->534 535 714ce29 520->535 536 714ce51-714ce69 534->536 537 714ce3b-714ce41 534->537 535->534 541 714ce70-714ce87 536->541 542 714ce6b 536->542 538 714ce45-714ce4f 537->538 539 714ce43 537->539 538->536 539->536 545 714cea1-714cf10 541->545 546 714ce89-714ce8f 541->546 542->541 557 714cf12-714cf18 545->557 558 714cf2a-714d16a 545->558 547 714ce91 546->547 548 714ce93-714ce9f 546->548 547->545 548->545 559 714cf1c-714cf28 557->559 560 714cf1a 557->560 559->558 560->558
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #iQk^$3iQk^$CiQk^$SiQk^$ciQk^$siQk^
                                                        • API String ID: 0-3151639283
                                                        • Opcode ID: d570182b9b9f460f6c99bcde00849fb3ddab1567fced306be97fb01790afcc1a
                                                        • Instruction ID: 779ef4633a57af835e6ea3f9cca8991c83aa4fc13604c7914151a259757659e9
                                                        • Opcode Fuzzy Hash: d570182b9b9f460f6c99bcde00849fb3ddab1567fced306be97fb01790afcc1a
                                                        • Instruction Fuzzy Hash: F5F15A75A01217CBCB38DB24D950B6EB7B2BFC5200F1185A9D909AB780EB34AD81DB91
                                                        Function 110F40D9 Relevance: 4.7, APIs: 3, Instructions: 207COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 599 110f40d9-110f40dc 600 110f40eb-110f40f6 752DF690 599->600 601 110f40de-110f40e9 call 110f4ea5 600->601 602 110f40f8-110f40f9 600->602 601->600 605 110f40fa-110f40fe 601->605 606 110f4104-110f49de call 110f498b 688A7E30 605->606 607 110e1790-110e17e1 call 110e1770 688A7E30 605->607 615 110f49e4-110f4a4b 606->615 616 110f4b90-110f4b93 606->616 617 110f4a4d-110f4a5a 615->617 618 110f4a90 615->618 620 110f4a7f-110f4a8e 617->620 621 110f4a5c-110f4a61 617->621 619 110f4a96-110f4aa2 618->619 622 110f4ad4 619->622 623 110f4aa4-110f4ac7 619->623 620->619 621->620 624 110f4a63-110f4a68 621->624 627 110f4ad7-110f4af4 622->627 626 110f4ac9-110f4ad2 623->626 623->627 624->620 625 110f4a6a-110f4a6f 624->625 625->620 628 110f4a71-110f4a76 625->628 626->627 629 110f4b8d-110f4b8f 627->629 630 110f4afa-110f4b12 627->630 628->620 631 110f4a78-110f4a7d 628->631 629->616 630->629 632 110f4b14-110f4b1a 630->632 631->618 631->620 632->629 633 110f4b1c-110f4b34 632->633 633->629 634 110f4b36-110f4b50 633->634 634->629 635 110f4b52-110f4b6d 634->635 635->629 636 110f4b6f-110f4b7e 635->636 636->629 637 110f4b80-110f4b87 636->637 637->629
                                                        APIs
                                                        • 688A7E30.VCRUNTIME140(?,110F9F40,?,?,?,110F7F8C), ref: 110E17A7
                                                        • 752DF690.API-MS-WIN-CRT-HEAP-L1-1-0(110F3F74,?,110F4079,00000008,?,?,110F3F74,?), ref: 110F40EE
                                                        • 688A7E30.VCRUNTIME140(?,110F9EA4), ref: 110F49BA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID: F690
                                                        • String ID:
                                                        • API String ID: 2541812937-0
                                                        • Opcode ID: cb4bdea1a6c8120b771420343e0dd2392d75a8824500c5ba1b5a2f819b458bb2
                                                        • Instruction ID: 3fd603ea02df435aaf48eeee179fbb4f04653a366d242a238c4c120d1e0398c0
                                                        • Opcode Fuzzy Hash: cb4bdea1a6c8120b771420343e0dd2392d75a8824500c5ba1b5a2f819b458bb2
                                                        • Instruction Fuzzy Hash: F0719171D0025B9FEB14CFA4C993A9EBBF8FB44318F11846AE905EB240E7759944CB90
                                                        Function 110F0010 Relevance: 4.5, APIs: 3, Instructions: 42COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 110F0025
                                                        • 752DF690.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 110F002E
                                                        • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 110F0046
                                                          • Part of subcall function 110EEEC0: 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 110EEF94
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID: FirmwareSystemTable$F690
                                                        • String ID:
                                                        • API String ID: 3617218082-0
                                                        • Opcode ID: 561494bb8d76485cf6d917b7ce1b1f82f340795e1d9096ddfcedd36861de43b1
                                                        • Instruction ID: 01b873a611e742230734094c4d1c41f278436b17d64edad95950c8744ad13ee5
                                                        • Opcode Fuzzy Hash: 561494bb8d76485cf6d917b7ce1b1f82f340795e1d9096ddfcedd36861de43b1
                                                        • Instruction Fuzzy Hash: 8AF02B74E412297FE2208A549C4BFAB7B9CDF05269F000594FD0D97340D563682883E6
                                                        Function 0380EC00 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 644 380ec00-380ec18 646 380ec20-380ec27 644->646 647 380ec29-380ec38 646->647 648 380ec6e-380ec75 646->648 647->648 653 380ec3a-380ec67 647->653 649 380ed4b-380ed5f 648->649 650 380ec7b-380ed44 648->650 655 380ed65-380edf5 649->655 656 380edfd-380ee04 649->656 650->649 653->648 655->656 658 380eeda-380eee1 656->658 659 380ee0a-380eed3 656->659 661 380eee3-380eeee 658->661 662 380ef1c-380ef20 658->662 659->658 661->662 671 380eef0-380ef15 661->671 671->662
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: +bn^$;bn^$an^
                                                        • API String ID: 0-3367650751
                                                        • Opcode ID: f245177e0d1748d91fef31d6b7931a46e5b56d26a45f2ec0c04cd2b7b2d528af
                                                        • Instruction ID: fe5ddd8e27cc92092792ca2d5bac85943435a53ef649d2c1711d87e1bd7a0996
                                                        • Opcode Fuzzy Hash: f245177e0d1748d91fef31d6b7931a46e5b56d26a45f2ec0c04cd2b7b2d528af
                                                        • Instruction Fuzzy Hash: 928193307042419FC748EF34D89466AB7A3EBC1204F18C95ED5069F3D6DB7AAD0A8B92
                                                        Function 0380EC10 Relevance: 4.0, Strings: 3, Instructions: 214COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 699 380ec10-380ec18 700 380ec20-380ec27 699->700 701 380ec29-380ec38 700->701 702 380ec6e-380ec75 700->702 701->702 707 380ec3a-380ec67 701->707 703 380ed4b-380ed5f 702->703 704 380ec7b-380ed44 702->704 709 380ed65-380edf5 703->709 710 380edfd-380ee04 703->710 704->703 707->702 709->710 712 380eeda-380eee1 710->712 713 380ee0a-380eed3 710->713 715 380eee3-380eeee 712->715 716 380ef1c-380ef20 712->716 713->712 715->716 725 380eef0-380ef15 715->725 725->716
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: +bn^$;bn^$an^
                                                        • API String ID: 0-3367650751
                                                        • Opcode ID: b04fa0036113051faa75c9c0e65c7a53194a8011f179b7f078db57422b0fa324
                                                        • Instruction ID: 889c3d2e41873003bebf822a97df653b3e78c66ca69006c1b48bf8f19df9cc88
                                                        • Opcode Fuzzy Hash: b04fa0036113051faa75c9c0e65c7a53194a8011f179b7f078db57422b0fa324
                                                        • Instruction Fuzzy Hash: 208182307042419FC748EF74D89466AB7A3EBC1204F14C95ED5069F3D6DB7AAD0A8B92
                                                        Function 0D68D7B1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 929 d68d7b1-d68d7be 930 d68d7cd-d68d872 SetWindowLongA 929->930 931 d68d7c0-d68d7c6 call d68d7e0 929->931 936 d68d87b-d68d898 930->936 937 d68d874-d68d87a 930->937 933 d68d7cc 931->933 937->936
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $Gfr
                                                        • API String ID: 0-4134379521
                                                        • Opcode ID: 8476d21b6aa1f8066766420c5cf92c12dca5812bb26262cc39cf27d70ab179ee
                                                        • Instruction ID: 9d8b17125312025e9d8a63a3392d63b92cfefe896a35d75f67253e437af88855
                                                        • Opcode Fuzzy Hash: 8476d21b6aa1f8066766420c5cf92c12dca5812bb26262cc39cf27d70ab179ee
                                                        • Instruction Fuzzy Hash: F031C3B18043848FCB12DF69C88479EBFF4AF4A314F19809AD458E7792D335A945CFA5
                                                        Function 01EBB5E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 941 1ebb5e8-1ebb668 VirtualProtect 943 1ebb66a-1ebb670 941->943 944 1ebb671-1ebb692 941->944 943->944
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 01EBB65B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2668524813.0000000001EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1eb0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: $Gfr
                                                        • API String ID: 544645111-4134379521
                                                        • Opcode ID: 86d2e2449d112618025dabfb3b5b1756809c211352ad73b47ea09479e948bf77
                                                        • Instruction ID: 5216ce7dce906c5d831ac8bc4a0065b453c935065e6219b39248cdc10bd3556d
                                                        • Opcode Fuzzy Hash: 86d2e2449d112618025dabfb3b5b1756809c211352ad73b47ea09479e948bf77
                                                        • Instruction Fuzzy Hash: 0121B7B59002499FDB10DF9AD584BDEFBF4FB48320F10842AE958A7250D774A944CFA5
                                                        Function 0D68D800 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 946 d68d800-d68d83b 947 d68d843-d68d872 SetWindowLongA 946->947 948 d68d87b-d68d898 947->948 949 d68d874-d68d87a 947->949 949->948
                                                        APIs
                                                        • SetWindowLongA.USER32(?,?,?), ref: 0D68D865
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID: $Gfr
                                                        • API String ID: 1378638983-4134379521
                                                        • Opcode ID: 9fa47fd3d5462f671e0f75a3cb7be0757a10ab129b02a24856dea8b8805b3e25
                                                        • Instruction ID: 33165c54f2926b2be3f33b6c6dbaecda1823269cd941b992f37e6605d1c3fc03
                                                        • Opcode Fuzzy Hash: 9fa47fd3d5462f671e0f75a3cb7be0757a10ab129b02a24856dea8b8805b3e25
                                                        • Instruction Fuzzy Hash: 3A113AB59002489FCB20DF9AD948BDEFFF8EB88320F24841AD518A7740D774A944CFA5
                                                        Function 03804FC9 Relevance: 2.8, Strings: 2, Instructions: 314COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 2c q$D(q
                                                        • API String ID: 0-1878628521
                                                        • Opcode ID: 4d2ff3df324373eade769a4c10b08a4aafd60b2c0a4f65dff80c360ee1b741c0
                                                        • Instruction ID: 0371de7f27fa470f14c2f076963ab1db1aad29923c93da8e91867e6d703cba9a
                                                        • Opcode Fuzzy Hash: 4d2ff3df324373eade769a4c10b08a4aafd60b2c0a4f65dff80c360ee1b741c0
                                                        • Instruction Fuzzy Hash: 6BA1A530B0C6498FCBA5D6F98C6067A36E6BF87614B1944EAD211CB2D4EE358D01CB76
                                                        Function 0380B738 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 3xn^$Cxn^
                                                        • API String ID: 0-1555302165
                                                        • Opcode ID: b021f65c7d34a3346478710ae7cf7e3b3f41ce9bc9ca0aa9383559a9a949c9fc
                                                        • Instruction ID: f2d2b119831bb986de4a4127e090f110049dcc28b7848d5d972a3236df821e32
                                                        • Opcode Fuzzy Hash: b021f65c7d34a3346478710ae7cf7e3b3f41ce9bc9ca0aa9383559a9a949c9fc
                                                        • Instruction Fuzzy Hash: 17817C303046018FC749FB38D9589BE77A7ABC6700B508929D6069B3C9EF79AD0787D6
                                                        Function 0380B748 Relevance: 2.7, Strings: 2, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 3xn^$Cxn^
                                                        • API String ID: 0-1555302165
                                                        • Opcode ID: 568c4e89679fe10ed2108e56c0de4cced890ae8a44bddf0f21f799bc69f99cc6
                                                        • Instruction ID: 5b62b51157b4d4d66bf36c731925d095ee7586dfa0ebbd4545dcffbb444f037c
                                                        • Opcode Fuzzy Hash: 568c4e89679fe10ed2108e56c0de4cced890ae8a44bddf0f21f799bc69f99cc6
                                                        • Instruction Fuzzy Hash: 25818A303046018BC749FB38D45897E77ABABC6700B508929CA069B3C9EF79AD0787D6
                                                        Function 0714C518 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -(q$-(q
                                                        • API String ID: 0-472721363
                                                        • Opcode ID: c4049a3a90a7665fc776cb2ecd9b9d3f00fe0dda9fea7daf6009cf15901ffa9a
                                                        • Instruction ID: b5a46415b5b6ba961a9c0c600cb416cd9ec2b685ba3d1f2d10a332378632f67d
                                                        • Opcode Fuzzy Hash: c4049a3a90a7665fc776cb2ecd9b9d3f00fe0dda9fea7daf6009cf15901ffa9a
                                                        • Instruction Fuzzy Hash: 9541ADB57016018FCB1AEF38D46497E7BB6BF89614711446DD44ADB3A1DF20EC02C7A1
                                                        Function 110E31B0 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 110E330F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::cancel_current_task
                                                        • String ID:
                                                        • API String ID: 118556049-0
                                                        • Opcode ID: 7dd2e053c51a893ddb78aaf14153cdb3b94e2ebcf8fa1b1e91bccb4dddab2dcf
                                                        • Instruction ID: 250f98052d0db63dfb76c9b48051ff1cf70a3bd98f922fe3809ed499d2547249
                                                        • Opcode Fuzzy Hash: 7dd2e053c51a893ddb78aaf14153cdb3b94e2ebcf8fa1b1e91bccb4dddab2dcf
                                                        • Instruction Fuzzy Hash: 5151AC72E051169FCB05CFA9C885A9EBBF5FF48314F1102ADE855DB340DB31AA11CB91
                                                        Function 0D1712C8 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserCallbackDispatcher.NTDLL ref: 0D171303
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2726306866.000000000D170000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D170000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d170000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID: CallbackDispatcherUser
                                                        • String ID:
                                                        • API String ID: 2492992576-0
                                                        • Opcode ID: c5a0ed6c6f2e9c219358724c1f6af8d15c8dfae7dd854443a3fa0415139eb1ff
                                                        • Instruction ID: 188a0baedffa465c317f67ad5cec21a61d79b0c8094930b306fb1861b2ac0220
                                                        • Opcode Fuzzy Hash: c5a0ed6c6f2e9c219358724c1f6af8d15c8dfae7dd854443a3fa0415139eb1ff
                                                        • Instruction Fuzzy Hash: BF41192271831167EB656568882077F22BEE7C8751F21803AD505D7BEECFB4CE8157E1
                                                        Function 03809C8B Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: d
                                                        • API String ID: 0-2564639436
                                                        • Opcode ID: b44d5e25966f7753f6a695704b19ade116610865052fa671a214f5bed9345480
                                                        • Instruction ID: 73dc3e39e44b13954d15b5df24f607ae181317b63971f3fded21a7fd871d9440
                                                        • Opcode Fuzzy Hash: b44d5e25966f7753f6a695704b19ade116610865052fa671a214f5bed9345480
                                                        • Instruction Fuzzy Hash: 3DA14B35600606CFCB24CF59C88096ABBF6FF84310B59C9A9D5698B6A6DB30FC45CB84
                                                        Function 071414D0 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: C6
                                                        • API String ID: 0-4041153987
                                                        • Opcode ID: 8af1b719584b804d695b3eb3274a880e360f10ceea4b5963c79a5fc2b7061887
                                                        • Instruction ID: a02900de936e08fdd6754752bb5788e7057188320487c271a6d60369c4c2d266
                                                        • Opcode Fuzzy Hash: 8af1b719584b804d695b3eb3274a880e360f10ceea4b5963c79a5fc2b7061887
                                                        • Instruction Fuzzy Hash: 7C8181717002459FC714EB74E850AAEB7A3FFC5700B55CA2DD2069B6A0EF71EC059BA2
                                                        Function 11C91EB0 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: |Y(q
                                                        • API String ID: 0-429865479
                                                        • Opcode ID: ef7793c9ed7923577616ba15b2a562d5064526d273499f5a485d0a626bb1a39d
                                                        • Instruction ID: 408c96cabbe7b6bde111034390fb207733d125ae5881189d36e5774a16890da0
                                                        • Opcode Fuzzy Hash: ef7793c9ed7923577616ba15b2a562d5064526d273499f5a485d0a626bb1a39d
                                                        • Instruction Fuzzy Hash: 7D714676700109CFDB08DB69D858B6EBAB3AF88711F11806AE906DB3A5DF70DC42CB51
                                                        Function 11C91EA3 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: |Y(q
                                                        • API String ID: 0-429865479
                                                        • Opcode ID: 01dcad0df9abda3fa84706363d5f1596e65a9a90c39b93fdd574943ce5194413
                                                        • Instruction ID: c49a9ed04d7b52b0c8bf612ae8e393ed0babb9244bcce15de805268177f29bbd
                                                        • Opcode Fuzzy Hash: 01dcad0df9abda3fa84706363d5f1596e65a9a90c39b93fdd574943ce5194413
                                                        • Instruction Fuzzy Hash: 0D516975701209CFD704DB69D458B6EBBB3AF88611F11806AE9469B3A1DF70DD02CB91
                                                        Function 11C910C4 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $Gfr
                                                        • API String ID: 0-4134379521
                                                        • Opcode ID: 7147918b638ca0466e71efab435b9448e9a6ab47dabe85c5650790d5ba6b1235
                                                        • Instruction ID: f845e9c5bb217dad984affe834bb92c199564f9dd1f319fae6f07553df9181da
                                                        • Opcode Fuzzy Hash: 7147918b638ca0466e71efab435b9448e9a6ab47dabe85c5650790d5ba6b1235
                                                        • Instruction Fuzzy Hash: 055134B0D00249DFDB18CFA9D895BDEBBB2BF89310F10816DD815AB294DB749844CF91
                                                        Function 11C910D0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $Gfr
                                                        • API String ID: 0-4134379521
                                                        • Opcode ID: fe2e6df41d2c89d3468b5b9b5b16216bf45b941b51c073f9f771a84698eab09d
                                                        • Instruction ID: 4351b76aa43ef086169682c92ddb318a5107ecdcfd1b4ff1d3b561e3914f6f9d
                                                        • Opcode Fuzzy Hash: fe2e6df41d2c89d3468b5b9b5b16216bf45b941b51c073f9f771a84698eab09d
                                                        • Instruction Fuzzy Hash: 6C5114B0D00249DFDB08DFA9C895B9EBBB1BF88314F14816DD815AB394DB749844CF91
                                                        Function 11C93878 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @1(q
                                                        • API String ID: 0-3852920710
                                                        • Opcode ID: fa270f3a66fbd03ae1c07620e862a18984d5bf7dd349f66fde2d0de8f3223113
                                                        • Instruction ID: 753f11ead5f478bd631be7439b4bcab8518f03404a3ec1fcd003dd8ece540245
                                                        • Opcode Fuzzy Hash: fa270f3a66fbd03ae1c07620e862a18984d5bf7dd349f66fde2d0de8f3223113
                                                        • Instruction Fuzzy Hash: A9416A767246118FC704DF39D88495ABBF9FF8972031292AAE909CB361DB71EC05CB90
                                                        Function 11C978B0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: |Y(q
                                                        • API String ID: 0-429865479
                                                        • Opcode ID: 9c9cdda33838bee01ed3888430419c50576783036e5d274c04219254b7d91fbb
                                                        • Instruction ID: 8d7ba0e44ea5a9de83583e3930ae75c1fd2d4a3e78619ce95611e1b4df4820b3
                                                        • Opcode Fuzzy Hash: 9c9cdda33838bee01ed3888430419c50576783036e5d274c04219254b7d91fbb
                                                        • Instruction Fuzzy Hash: 9B31B33170EF9DDFC7196626941092D3BB6EF8162172641ABD005DF2A1FE24CC02CFAA
                                                        Function 11C92241 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `y
                                                        • API String ID: 0-459895674
                                                        • Opcode ID: cd22a6866a9392e616d67b9022490d097bc6e978d796be9e49c84518f38887ee
                                                        • Instruction ID: a15e31a0ebd5199b956c1150c7bbaa966d5cf51832c2a29982fa2270f5f89b91
                                                        • Opcode Fuzzy Hash: cd22a6866a9392e616d67b9022490d097bc6e978d796be9e49c84518f38887ee
                                                        • Instruction Fuzzy Hash: F841AEB2E04248DFDB05CFA9D8047EEBFB6FB89310F14816AD841A7291DB754D06CB65
                                                        Function 0714C3E8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -(q
                                                        • API String ID: 0-1637170117
                                                        • Opcode ID: 1ac996f45907fd6402f8d14d6186d9072560c9dc4285d5d97f8a39b879554792
                                                        • Instruction ID: fd2967d010c822b125800426dd6e877b7e5536a84fd431164a69f94598b4a6ed
                                                        • Opcode Fuzzy Hash: 1ac996f45907fd6402f8d14d6186d9072560c9dc4285d5d97f8a39b879554792
                                                        • Instruction Fuzzy Hash: 5441AF75B012458FCB16DFB8C4549AEBBF2BF89210B1444AED146EB3A1DB35EC41CBA0
                                                        Function 03806E67 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: a(q
                                                        • API String ID: 0-2990292533
                                                        • Opcode ID: dbc8ef360b54683934ca0b97a616cc8ced08ca90d061130270a337ca1b4a60ba
                                                        • Instruction ID: 8024e9e1d821dba453a7e91be6500047d2f11604fd13d9f8cb9ee929442d1534
                                                        • Opcode Fuzzy Hash: dbc8ef360b54683934ca0b97a616cc8ced08ca90d061130270a337ca1b4a60ba
                                                        • Instruction Fuzzy Hash: 4F21AE367047129BDFA5CAAADD002367BEAEBC4255B19C4E9D805C7281FF28D821C7A0
                                                        Function 03806E78 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: a(q
                                                        • API String ID: 0-2990292533
                                                        • Opcode ID: 2deead329b99a425322d403a35a1ec34da471bf44bb54282c7c9cda151347f0a
                                                        • Instruction ID: b0a2d4b536d843b34cce0db8b3fa85bb83ecb60e6b1d023f072139ba495f2fdf
                                                        • Opcode Fuzzy Hash: 2deead329b99a425322d403a35a1ec34da471bf44bb54282c7c9cda151347f0a
                                                        • Instruction Fuzzy Hash: 52118C757007028FDB64CA6AC81063AB6EAEFC4655B28C4BDE406CB3A1FF24DC50C760
                                                        Function 0380A063 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ti(q
                                                        • API String ID: 0-4165007224
                                                        • Opcode ID: b3cae5ebc39fe4a9d3dd78c3413088bbd8eded99608eecb51595f83e56f66c73
                                                        • Instruction ID: 013d8cf9a64da467942be4af7986df3f61bfa961d8f2c5862fb3bc6708fca508
                                                        • Opcode Fuzzy Hash: b3cae5ebc39fe4a9d3dd78c3413088bbd8eded99608eecb51595f83e56f66c73
                                                        • Instruction Fuzzy Hash: 39112B31B04A0ADB835EDBA4E85043DB263BBC02983448AA9D107DF3C4CF6E9C46DB91
                                                        Function 0380A9A1 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ti(q
                                                        • API String ID: 0-4165007224
                                                        • Opcode ID: 1994a4f83e0b8380eb4f7926199a84a0751070ffcc3e25451aa0333c1eb01e8b
                                                        • Instruction ID: 8ceb336ecb37f35c7089d28b2e2ad4da8156c34c42ec405945c7a6da389a6a90
                                                        • Opcode Fuzzy Hash: 1994a4f83e0b8380eb4f7926199a84a0751070ffcc3e25451aa0333c1eb01e8b
                                                        • Instruction Fuzzy Hash: 52110471A0478ACFCB04EFA8EC449ADBBB1FB85200F0045AAD145E71D0EB785408CB92
                                                        Function 0380A9B0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ti(q
                                                        • API String ID: 0-4165007224
                                                        • Opcode ID: 435af2359c6016c1e77754e07c8d9da4a8fdf68f3af66877563ee48026b241d8
                                                        • Instruction ID: 04769b1393e3a3dcd278cd69eb1712475537891acabb7e840a30f1f08c86d8be
                                                        • Opcode Fuzzy Hash: 435af2359c6016c1e77754e07c8d9da4a8fdf68f3af66877563ee48026b241d8
                                                        • Instruction Fuzzy Hash: F611E531A0474E8FCB04EFA8E8449AEBBB5FB85200B0045AAD145E7194EB78A508CB91
                                                        Function 11C93341 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `y
                                                        • API String ID: 0-459895674
                                                        • Opcode ID: 4d50f302d57d1868befa3fd7c00a348fb7d03435475146c6baa4d6d6c6f8b66e
                                                        • Instruction ID: 031cc483f7402afbbffe01bd302bc56c9d0ad14c1a7b8a398fc6d611f8e868ff
                                                        • Opcode Fuzzy Hash: 4d50f302d57d1868befa3fd7c00a348fb7d03435475146c6baa4d6d6c6f8b66e
                                                        • Instruction Fuzzy Hash: 38E086227893806BC70691AD7C50749AB569FC7960F5505AEE184DF29BC450DC048396
                                                        Function 03808620 Relevance: .4, Instructions: 372COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 196489c651084014100ba855f46533f3c1c7728cb98883b4a5230ed68339dc3c
                                                        • Instruction ID: a9062161930584c71e90a9d790d0b66f97542676f8f9bdd5f4e3d76661953214
                                                        • Opcode Fuzzy Hash: 196489c651084014100ba855f46533f3c1c7728cb98883b4a5230ed68339dc3c
                                                        • Instruction Fuzzy Hash: 6BF19BB46043598FCB10DFA8C994A9ABBF1FF49314F054299D455EB3E2C738E881CBA5
                                                        Function 071497F8 Relevance: .4, Instructions: 363COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d0d5e8b737ab27b3e16d6baa98be8d96a9d821de7f637e561508bf27ff78c3a0
                                                        • Instruction ID: 665b2d0877ee11480880d04c2311b7d4a7d54aea175b3d1cd7b5166a7ed477f6
                                                        • Opcode Fuzzy Hash: d0d5e8b737ab27b3e16d6baa98be8d96a9d821de7f637e561508bf27ff78c3a0
                                                        • Instruction Fuzzy Hash: CC024C70D00218DFDB51DFA8D950AADBBB2FF89300F1085AAD609BB290DB356E54CF52
                                                        Function 07149808 Relevance: .4, Instructions: 357COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ac5bb905fc7a093cddd11c3bbbc07d116ad8967ef0f396b925662437e38128c
                                                        • Instruction ID: 43271701d6b9f58975ab6aa447fddaf6abeb9b086dbbe133ed6ce01c1c663869
                                                        • Opcode Fuzzy Hash: 2ac5bb905fc7a093cddd11c3bbbc07d116ad8967ef0f396b925662437e38128c
                                                        • Instruction Fuzzy Hash: 68F14C70D00218DFDB50DFA4D950AADBBB2FF89300F1085AAD609BB290EB356E54CF52
                                                        Function 071427A0 Relevance: .4, Instructions: 355COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f615e53c0c94039af8d0086d1d8a00804b99ffe8a88ae79e858ba0c548cd0f36
                                                        • Instruction ID: 13a3d7fa915b187967dba217e1433fbb104292e6acc3bb9642f7e2246e4d03bc
                                                        • Opcode Fuzzy Hash: f615e53c0c94039af8d0086d1d8a00804b99ffe8a88ae79e858ba0c548cd0f36
                                                        • Instruction Fuzzy Hash: B9C1D471A0021ACFCB25DF25D844BAE77B6BF85304F2185A9D508AB291EF309D85DFE1
                                                        Function 03808728 Relevance: .3, Instructions: 325COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8560656d95aab15e2cb3f3fe1e28cd4fa19eb141cf77e42706fa900d1ae89551
                                                        • Instruction ID: 41de3d66c4246df2f677707ce4dfde05c71d6542ba99709233a455fafdd3355c
                                                        • Opcode Fuzzy Hash: 8560656d95aab15e2cb3f3fe1e28cd4fa19eb141cf77e42706fa900d1ae89551
                                                        • Instruction Fuzzy Hash: 51E15AB4600219CFCB50DFA8C994AAABBF1FF48314F154699E455AB3E1D738E881CF90
                                                        Function 03808719 Relevance: .3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4b98504ffa811a6e1f8d724959e287b953e045de0d22ff09ade7478ad1d75e9
                                                        • Instruction ID: a3716b1324bc47e7b55b269a7cc622c9f0ac0173a5d0ec3a605333ae63a909f2
                                                        • Opcode Fuzzy Hash: a4b98504ffa811a6e1f8d724959e287b953e045de0d22ff09ade7478ad1d75e9
                                                        • Instruction Fuzzy Hash: 0BE13CB4600219CFCB54DFA8C984A9ABBF1FF48324F154699D855AB3E1D738E881CF91
                                                        Function 11C93380 Relevance: .2, Instructions: 243COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 823001809f3e865b147458b58db3459ea7c17e58be9ba33c67bf1916ca3c60bf
                                                        • Instruction ID: 6525a578d4208f1156f7e69fc8969a5823dea91e2b97a2b08f51925a2f8260ce
                                                        • Opcode Fuzzy Hash: 823001809f3e865b147458b58db3459ea7c17e58be9ba33c67bf1916ca3c60bf
                                                        • Instruction Fuzzy Hash: 77917F72B00604CBCB249BB8D14855EFBF2BF89720B609A19D456EB794DF34EC46CB91
                                                        Function 11C93388 Relevance: .2, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05170a75f02532b8d855fb629e1b3598d276ce38b3a353eec5c415df1c773192
                                                        • Instruction ID: 7d894193fc038cfa43b6778b4c4bb9f107577f080569ee4d074c60f4f23d3df8
                                                        • Opcode Fuzzy Hash: 05170a75f02532b8d855fb629e1b3598d276ce38b3a353eec5c415df1c773192
                                                        • Instruction Fuzzy Hash: 68917E72B00604CBCB249BB8D14855DFBF2BF88B20B609A19D456EB794DF34EC46CB91
                                                        Function 0714C690 Relevance: .2, Instructions: 237COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 358f529a89be5a1c34f68eb0345da1c7d6184ab9c71d3fadd93a4962d56eec9f
                                                        • Instruction ID: 5079e492772ae1dfaf512fbc115b60c65c282b8d4ccb50c32a50c55dcea137f4
                                                        • Opcode Fuzzy Hash: 358f529a89be5a1c34f68eb0345da1c7d6184ab9c71d3fadd93a4962d56eec9f
                                                        • Instruction Fuzzy Hash: 149162707062428BDB58EF79D49092EB7B7BFCA601714993DD1068B384DF38AC058BD2
                                                        Function 11C94510 Relevance: .2, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 743235395da658d682f25e6caedb98134ebed74ac3a0afd5d1262782807ebde3
                                                        • Instruction ID: 1d9e607d5b55aa86adc993c438f66c4ab53f28e662a2a03752b55b4d4ebd8482
                                                        • Opcode Fuzzy Hash: 743235395da658d682f25e6caedb98134ebed74ac3a0afd5d1262782807ebde3
                                                        • Instruction Fuzzy Hash: 8391E172A04345CFCB09DF39C98425ABFF6BF86300F1581AAD905DB2A6EB70D845CB91
                                                        Function 11C93F00 Relevance: .2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 738b771fbd945c1181d06fdb74cc94d16b001bf28ba6d9a7e7e632e588c05573
                                                        • Instruction ID: bc405e7fabca8e2697463c2f76e6463f9badfadef549bf4696d6138709671301
                                                        • Opcode Fuzzy Hash: 738b771fbd945c1181d06fdb74cc94d16b001bf28ba6d9a7e7e632e588c05573
                                                        • Instruction Fuzzy Hash: 4EB1CE79A10219DFCB54CF68C984EA9BBB1FF48315F118199E9199B362DB30EE85CF40
                                                        Function 0714C680 Relevance: .2, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 10258be839e4af3236e1c2ca09761b045474aca728e4bdb8e4e79056f04cde72
                                                        • Instruction ID: a66cb3136f9fc80d087ff45bf1fd00602171b4c6af0b0c02c1e208ecba036615
                                                        • Opcode Fuzzy Hash: 10258be839e4af3236e1c2ca09761b045474aca728e4bdb8e4e79056f04cde72
                                                        • Instruction Fuzzy Hash: A18173B4706242CBDB18DF79D49096EB7B7BFCA601714993DD6069B280DF38AC058BE1
                                                        Function 07144E58 Relevance: .2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ffb901985ba77efad1d4e9f904123c397dcc3bb36316aeaf176efba46a466d4
                                                        • Instruction ID: afdeec098b7ae591664586c966a21d386cf2da30c06730128f1ab9a77454630e
                                                        • Opcode Fuzzy Hash: 6ffb901985ba77efad1d4e9f904123c397dcc3bb36316aeaf176efba46a466d4
                                                        • Instruction Fuzzy Hash: 6381A0B5A0024A9FCB19DFA4D5546EEBBB2FF84310F20842AE815AB390DF749D55CBC1
                                                        Function 11C96450 Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e9a0d3431c6b4853e854f7dd9d1fabcb4330fc5351717cd36e28ccfd56c368a
                                                        • Instruction ID: f30083bfa2ea35ef1b1abd6aab2f39ebb122b9de4cd2d572855112e891303b18
                                                        • Opcode Fuzzy Hash: 9e9a0d3431c6b4853e854f7dd9d1fabcb4330fc5351717cd36e28ccfd56c368a
                                                        • Instruction Fuzzy Hash: 4891D3756006058FD758CF6AC884E6ABBF2BF89714B5584A9E942CB7B1DB31EC01CB60
                                                        Function 038078D0 Relevance: .2, Instructions: 195COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c3e24f461d9e4399a1ee3bc7616fb125dc66d0cb300c8c437f33d7d027c7f59
                                                        • Instruction ID: 780c7acc08ce912dff5c9a42996d81c18c03053a4ed183a8558528d6ff8c5441
                                                        • Opcode Fuzzy Hash: 9c3e24f461d9e4399a1ee3bc7616fb125dc66d0cb300c8c437f33d7d027c7f59
                                                        • Instruction Fuzzy Hash: C2718271A00209DFDB54DFA8D844AAEBBF6FF88310F1484A9E805E7391DB75AD41CB90
                                                        Function 038068D0 Relevance: .2, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 739e417746250255b0d565a67f12896afa862d0f336210162a0895f94da64988
                                                        • Instruction ID: 39e71c285af8950282c97becc2d243721440723660ddfdf1ecad3c6a577bf5b9
                                                        • Opcode Fuzzy Hash: 739e417746250255b0d565a67f12896afa862d0f336210162a0895f94da64988
                                                        • Instruction Fuzzy Hash: 9D61A075B002158FCB44DBA8D890ABEF7F2FF89310B1844ADD946EB391EB31AD118B51
                                                        Function 0714BEA8 Relevance: .2, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab257515e17adc8ec09b61ea50e94bfb181234b210353803a152f52b73ccc4ba
                                                        • Instruction ID: 14687a6dd68b312c3876c090c086e9c4fb3f07b6cab25cfdf958de501e050b64
                                                        • Opcode Fuzzy Hash: ab257515e17adc8ec09b61ea50e94bfb181234b210353803a152f52b73ccc4ba
                                                        • Instruction Fuzzy Hash: 3D71DA78612209DFDB14DF64D598AAEBBB2FF48351F204069E906DB3A1DB31ED41CB90
                                                        Function 07144730 Relevance: .2, Instructions: 173COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4eccad29d02c660b067752a017bf4432221beef9bf0d685f3dfc46746fdd7a46
                                                        • Instruction ID: a6fbc2b9107ab436ccce22187cb790162114f22b7fcf85bdad0cbcf4e3070181
                                                        • Opcode Fuzzy Hash: 4eccad29d02c660b067752a017bf4432221beef9bf0d685f3dfc46746fdd7a46
                                                        • Instruction Fuzzy Hash: 795101B5B002898BDB159F69D8587AE7BB6EF89210F14406DE801E73C0CF348E4587A0
                                                        Function 03806170 Relevance: .2, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bffab4cab08b0e13cc2d364374ca4201778ce841a77712007a5b6317e83888e3
                                                        • Instruction ID: 63fa9cfff5851da1ea86074e78f0ea4939ce3424484987501c57e3120739e6f6
                                                        • Opcode Fuzzy Hash: bffab4cab08b0e13cc2d364374ca4201778ce841a77712007a5b6317e83888e3
                                                        • Instruction Fuzzy Hash: 595170312093C14FC7129B7898A05967FB2EF8322471985DBC5D5CF2E3EA289C1AC766
                                                        Function 11C95660 Relevance: .2, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de8b86d7a31b5ed08a9c11906955b99d4c75ffb839a16526f35630d1727d305c
                                                        • Instruction ID: 77d68d5d3fa1ea82efa4d868136d88982c62cb5875bec7f7b8a28617f92eec41
                                                        • Opcode Fuzzy Hash: de8b86d7a31b5ed08a9c11906955b99d4c75ffb839a16526f35630d1727d305c
                                                        • Instruction Fuzzy Hash: FA61AD71A00748CFD724CF25D588B6ABBF2BF88714F10855EE4468BBA1CB75E846CB51
                                                        Function 0380E767 Relevance: .2, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a140991a6f4aedadb0d9953bcfa4a540f2242910d6af07a95ddc87dd98e7351f
                                                        • Instruction ID: 66a3910f872f7e966ee1c40e01f86757e6952d0db63daf512ecb760f82ffa2fa
                                                        • Opcode Fuzzy Hash: a140991a6f4aedadb0d9953bcfa4a540f2242910d6af07a95ddc87dd98e7351f
                                                        • Instruction Fuzzy Hash: BA51A2717046429BD744DBB9A88466EB7E6FFD4600B08887CD44ADB381DF38FD058792
                                                        Function 03803DDF Relevance: .2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0f937b26aa9f0fe132d28668b8baa1b6f5fe93d2081a165280d24c44004289d7
                                                        • Instruction ID: 87d14a500f7d50fc8586b633bf90086611dc2b628e18d98870e8e90b7aef1c23
                                                        • Opcode Fuzzy Hash: 0f937b26aa9f0fe132d28668b8baa1b6f5fe93d2081a165280d24c44004289d7
                                                        • Instruction Fuzzy Hash: A8714C31A5020ACFCB45DFA0E4A09AE7772FF86708F505929C6016B394CF7AAC46CF95
                                                        Function 03806AA8 Relevance: .2, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c574e0781536326f0e90a2e3e91c7507fb0c5592a9226253fc9953ae7c19001
                                                        • Instruction ID: 8a3c610f0a95d2c24ab5421d7e075563da4366c1feef8fe12baa8ec3168fd0cd
                                                        • Opcode Fuzzy Hash: 9c574e0781536326f0e90a2e3e91c7507fb0c5592a9226253fc9953ae7c19001
                                                        • Instruction Fuzzy Hash: F3512B75B042449FDB05DBB8C854AADBBB6FF89310F1880AAD901EB391DB309C01CB60
                                                        Function 0714E000 Relevance: .2, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1eb45a35f9426f8a9a8ab9a85fa9d85a15fe7a83e9a63235c5d99f8b79ded1c1
                                                        • Instruction ID: ba25373e6d2904fabb1e65a2978e3896b895ca669bed0ed5044cafa482737026
                                                        • Opcode Fuzzy Hash: 1eb45a35f9426f8a9a8ab9a85fa9d85a15fe7a83e9a63235c5d99f8b79ded1c1
                                                        • Instruction Fuzzy Hash: 8651B3B4A093899FCB16CBB4E4595EDBFF0BF46210F0504EBD446EB292C7355848CB62
                                                        Function 03803DF0 Relevance: .2, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bba60a97214ce1b3f77e6b3a66d66a681d25552d20d8d315958b17e63a1ca5ac
                                                        • Instruction ID: 906de58006815ae301c360075a713b241fd9d5c8eac88d7385df382e0d0ac0c7
                                                        • Opcode Fuzzy Hash: bba60a97214ce1b3f77e6b3a66d66a681d25552d20d8d315958b17e63a1ca5ac
                                                        • Instruction Fuzzy Hash: 02612A31A5020ACFC749DFA0E4A09AE7772FF86709F505929C6016B394CF7AAC46CF95
                                                        Function 11C91894 Relevance: .2, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1ae57c3da206728fa9914c4a631e3fd7a95b4ec853cf2733e5bdf8c88cf0e5e
                                                        • Instruction ID: c3245d66cfc0cbe375570baa355e74f30420e8a7d2a0fb6363b347af15fe31d1
                                                        • Opcode Fuzzy Hash: d1ae57c3da206728fa9914c4a631e3fd7a95b4ec853cf2733e5bdf8c88cf0e5e
                                                        • Instruction Fuzzy Hash: 70515E70A04259CFDB15CF2AC44575DBBF6ABC5220F1184AED449AB351EF789D41CF81
                                                        Function 11C93CA4 Relevance: .1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a11649d937774f589b9bb76c5e829dd9fbbff1719b3ffca9bbccf1222982725a
                                                        • Instruction ID: ee3a3a93cc02736b3f9dc389eac6280fc574700d581777b5852cee4852c2c6b4
                                                        • Opcode Fuzzy Hash: a11649d937774f589b9bb76c5e829dd9fbbff1719b3ffca9bbccf1222982725a
                                                        • Instruction Fuzzy Hash: 8A517A71A08258DFCB05DF69E54496DFBF6FF89310B1085AAE405D73A1EB359C42CB80
                                                        Function 11C95A80 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e95366832ed9149a927c7330f40ddee249a3c68b1042f8c8daf11a467c58f620
                                                        • Instruction ID: 0478b237d8849c61e4b25eb1d06d4bbbc336e7b7524dc5cba49c7c8c45a3978e
                                                        • Opcode Fuzzy Hash: e95366832ed9149a927c7330f40ddee249a3c68b1042f8c8daf11a467c58f620
                                                        • Instruction Fuzzy Hash: 38412172B043448FC716AB78D41461EBBB2FF96610F1485AAD446CB391CF34DD06CBA2
                                                        Function 11C918A0 Relevance: .1, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5d9be91dad02b72046c4b767a33cfe9d33357e45471869611f75862f63ad7e5
                                                        • Instruction ID: 89744c45a73e0fb0c67c0c3debd78055840559dde8de8311ee284332ee55063c
                                                        • Opcode Fuzzy Hash: d5d9be91dad02b72046c4b767a33cfe9d33357e45471869611f75862f63ad7e5
                                                        • Instruction Fuzzy Hash: 8B514B70E04269CFCB148F2AC44575DBBF6ABC9220F1184AEE449A7391EF799D42CF81
                                                        Function 07141AD0 Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18d8d598829d2d4a32054ffc6b4cde5581dccac15b17d762671d5b24410b5cf1
                                                        • Instruction ID: aaa99cc83b2dc5f4b62b3e3a2c9fda2252a4608d851395feccb158f8f0804740
                                                        • Opcode Fuzzy Hash: 18d8d598829d2d4a32054ffc6b4cde5581dccac15b17d762671d5b24410b5cf1
                                                        • Instruction Fuzzy Hash: 0B512B70610B05DFC734CF29D88495AB7F2BF88710B158A2DD5568B6E5DB30F985CB90
                                                        Function 0714188F Relevance: .1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f7d0ab24baa114ba9cdb1110c5c4e679bb07837925f8a66d83fd84862c82cd9
                                                        • Instruction ID: ba02ffdaf26e58a2f289dc496bdb39721940a24b7f9a25f8105e1864202d6421
                                                        • Opcode Fuzzy Hash: 4f7d0ab24baa114ba9cdb1110c5c4e679bb07837925f8a66d83fd84862c82cd9
                                                        • Instruction Fuzzy Hash: 5841BD716043499FC711DB68D815AAEBBF2FF89710F0484AAD506EB3D1DB35AD04CBA1
                                                        Function 11C936E4 Relevance: .1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bca1c6d6c455358967c371fcf2088a3440d6ab8bc0a3885ada238157ddf4aa3d
                                                        • Instruction ID: 5aabc30b995d4fcc6e8d0aab1332811c03c513ae563b6635ddf7620076b84c87
                                                        • Opcode Fuzzy Hash: bca1c6d6c455358967c371fcf2088a3440d6ab8bc0a3885ada238157ddf4aa3d
                                                        • Instruction Fuzzy Hash: 3941BFB6B04119DFD704CF69D984AAEBBBAEF88710B119166E908DB311D771EC01CBA0
                                                        Function 07144610 Relevance: .1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2bc838c9e155167ee95e4ca0c7fb59e9379eef1db2e9892a2fda8e76b88fc5b6
                                                        • Instruction ID: f57ffae44d2315464b3dc023086feb8e190dcf772958a8600c753966ec93cf9a
                                                        • Opcode Fuzzy Hash: 2bc838c9e155167ee95e4ca0c7fb59e9379eef1db2e9892a2fda8e76b88fc5b6
                                                        • Instruction Fuzzy Hash: FD313BB67092D45FC717173968146BE3F6AEBC6A21719416FD405C77C1CE298C0683E2
                                                        Function 0714A613 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 898163f8aa87154438f0b72b1d1f702b0f393a8972981ddd211bca4a2266e703
                                                        • Instruction ID: 13ff7912949f5ab038dade588e9e8e05bc599dff705b227f0f40fb2a4a7cdf49
                                                        • Opcode Fuzzy Hash: 898163f8aa87154438f0b72b1d1f702b0f393a8972981ddd211bca4a2266e703
                                                        • Instruction Fuzzy Hash: B7510431A053868FDB15DF24D95479DBBB2FF86300F05899BC006BB291DB74AD89CB91
                                                        Function 11C92D10 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e45a16ca22711e4256cb53230c95312376335c896bc8eb35dd00bc54e435161a
                                                        • Instruction ID: 37a98c5b6ec668f49118e4cf2175cba2aad5c33846b803953bfb396b0c71a1ce
                                                        • Opcode Fuzzy Hash: e45a16ca22711e4256cb53230c95312376335c896bc8eb35dd00bc54e435161a
                                                        • Instruction Fuzzy Hash: FA519031A0075ACFDB15CF65C44069EFBB2FF89310F1085AAE849AB351DB70A985CF81
                                                        Function 11C92905 Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec08605e24abd8e574af9b18719bda03065720699895c9881a1534199d3d3a52
                                                        • Instruction ID: 5d47f11c2efb61cb58f61accea6089ff21d3d9ee9fbaa8f67e328ddcb93b7edc
                                                        • Opcode Fuzzy Hash: ec08605e24abd8e574af9b18719bda03065720699895c9881a1534199d3d3a52
                                                        • Instruction Fuzzy Hash: 0541BE72A04789CBD719DF75E4406AEFBF3BF85310F10891ED4829B640DB71E9468B92
                                                        Function 0380A2A0 Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aab202df7d9457de1e92cb104801dfcd5d30c882bd931c9ee882087368138047
                                                        • Instruction ID: 2a2963481cb255c4006277f2d0ce3ead90f66ccee9a4a566ea3ddfe634ce4c31
                                                        • Opcode Fuzzy Hash: aab202df7d9457de1e92cb104801dfcd5d30c882bd931c9ee882087368138047
                                                        • Instruction Fuzzy Hash: BC316431B0830DCBCB9CDAF59C506BEB6A6ABD4218F1540BAC803EB2D5DE6D9C05C756
                                                        Function 11C943C0 Relevance: .1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d389deb0fb750430eb2348c26e9a6c37e31046c82f5bc3bbcb3a9aa2e8a93791
                                                        • Instruction ID: c2c3c2b9ec3c4f885d77901b8a50a5be8ef31c9bca3cc6459dde297befc3f13d
                                                        • Opcode Fuzzy Hash: d389deb0fb750430eb2348c26e9a6c37e31046c82f5bc3bbcb3a9aa2e8a93791
                                                        • Instruction Fuzzy Hash: A13146333042949BD7162A79651832EFAE6EFC6620F5480AEE845C7381DE35CD0387A6
                                                        Function 07141357 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9d37259c9a014c33087aebe0cde3d5fa703590b260315605af874e340061df01
                                                        • Instruction ID: 1204eba39b1a74dfac33f98c6eba623ea631da6db7f915dc06a53c1e7c88a869
                                                        • Opcode Fuzzy Hash: 9d37259c9a014c33087aebe0cde3d5fa703590b260315605af874e340061df01
                                                        • Instruction Fuzzy Hash: 9841E5312097809FC712DF38D8A8895BFB1EF46314B0945DBD185CF1A3DB24A85ACBA6
                                                        Function 11C939B7 Relevance: .1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a485cc1095127ac6ed48042b3692125f73c399508a7637e184db94b7ae24f81
                                                        • Instruction ID: 642e5d059acb89d527fcf5de612e31470d4674b691b80283d8d56e3790d0d3e6
                                                        • Opcode Fuzzy Hash: 6a485cc1095127ac6ed48042b3692125f73c399508a7637e184db94b7ae24f81
                                                        • Instruction Fuzzy Hash: ED417E33A00115EFCB069FA5D944D9DBBB6FF8C710B5180A9E1099B261DB32EC22DB91
                                                        Function 0380A45B Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 168fba92e4edc1a57217967dc4d673bf852fdef3eb577b8e4732a2447b9f303c
                                                        • Instruction ID: e3c571dee9a258fa04e5875c5c53d7a2cde017436d02ad82e1af7c02073b15aa
                                                        • Opcode Fuzzy Hash: 168fba92e4edc1a57217967dc4d673bf852fdef3eb577b8e4732a2447b9f303c
                                                        • Instruction Fuzzy Hash: 89315D35A04708CFCB9CCAE9D89896D77B1BB88618B1144E6E503EB2E1CA789D40CB51
                                                        Function 071422B8 Relevance: .1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 64a255d96b2f26afd92fd117af127cba79fb82912ad77fc91448040a5ec566b2
                                                        • Instruction ID: 12e9f4bbabf1d2642b3891bb8fbfabb9e8ac9df31508f04a5cebcd3ddd8b71cf
                                                        • Opcode Fuzzy Hash: 64a255d96b2f26afd92fd117af127cba79fb82912ad77fc91448040a5ec566b2
                                                        • Instruction Fuzzy Hash: 3331E076700105DFCB05DFA8E884AAEBBB5FF89210B00803AE506DB391DB35DD55EBA0
                                                        Function 11C972FA Relevance: .1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eb53ae8097125efb5ec2ed303b1723be6e42e1fc425152780795cb854714808c
                                                        • Instruction ID: 43eea21889bfac07fad62ee4e3008809c4a2d3f4b1333738346600d6cf156aa4
                                                        • Opcode Fuzzy Hash: eb53ae8097125efb5ec2ed303b1723be6e42e1fc425152780795cb854714808c
                                                        • Instruction Fuzzy Hash: 8441DA70B0AA59CFCB59DB2AC564A9977B2AF85304F1084E9D509DB354EF31ED81CF80
                                                        Function 11C91AA1 Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: daac4096144a19f039e8901332c36397bd19062e7253dda60e3226405262be5f
                                                        • Instruction ID: 9a517adb57a7df221bdef150925082bce58a27607f5dcc2cf4dbc2a403890001
                                                        • Opcode Fuzzy Hash: daac4096144a19f039e8901332c36397bd19062e7253dda60e3226405262be5f
                                                        • Instruction Fuzzy Hash: 5641D5B4D04269CFDB24DF66C446B9CBBB6BB88310F10849ED40AA7B50EB745D81CF50
                                                        Function 11C939C8 Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34b102214bdcb9e3c4235e619261c904e61ca4ad8b26faf43006a63ab2ce4fb5
                                                        • Instruction ID: 95c042fb8354beb781599af04b950f44ff885d381dc192b1789693a32fb8e4f6
                                                        • Opcode Fuzzy Hash: 34b102214bdcb9e3c4235e619261c904e61ca4ad8b26faf43006a63ab2ce4fb5
                                                        • Instruction Fuzzy Hash: 5B317E33A00104EFCB459FA5D944D9DBBB6FF8C710B5181A9E1099B261DB32DC22DB90
                                                        Function 11C91AB4 Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 69b823a682decfc64797dfc8352511679c96f50cfc397340d58362ed8e984fe5
                                                        • Instruction ID: 5b562f4c3cf10dc834f2d0564338570ed85034415595c63c5afda06c81c61eba
                                                        • Opcode Fuzzy Hash: 69b823a682decfc64797dfc8352511679c96f50cfc397340d58362ed8e984fe5
                                                        • Instruction Fuzzy Hash: 5841E3B0A04269CFDB24DF66C446B9CBBB6BB88310F10889ED40AA7B50EB745D81CF50
                                                        Function 03807E48 Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 44d1131b0d484544786c9a13345c3f398a3c7488c7559e79ea0a8ab349718b50
                                                        • Instruction ID: f3290be8e8452eb8833866e9880ff75bc52d318913a4aa9d2502e56e1969ef19
                                                        • Opcode Fuzzy Hash: 44d1131b0d484544786c9a13345c3f398a3c7488c7559e79ea0a8ab349718b50
                                                        • Instruction Fuzzy Hash: D7410874A00249DFDB54DFA4D988AEEBBF2AF48300F148599E411BB391CB75AD41CF61
                                                        Function 0714A6D8 Relevance: .1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76f66006097c88f5603cf0564fb7080a0472c8a641405707e52090e1d7e2ac20
                                                        • Instruction ID: 93faea2a263130f05548900c3fb379cfb430a032057fa2e43ec269723d508e2e
                                                        • Opcode Fuzzy Hash: 76f66006097c88f5603cf0564fb7080a0472c8a641405707e52090e1d7e2ac20
                                                        • Instruction Fuzzy Hash: 8541A030A0125ACBDB14DF64D944B9EBBB7FF85300F1189AAD50ABB250DB74AD85CF90
                                                        Function 03805B08 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e81dfe363a98e1c506df938e30d02d29094ad44b5190412a0369ebdead0d8411
                                                        • Instruction ID: d804a990242740cdbb30e62fb37ce52d6937461a46a52590643c8b30c5118978
                                                        • Opcode Fuzzy Hash: e81dfe363a98e1c506df938e30d02d29094ad44b5190412a0369ebdead0d8411
                                                        • Instruction Fuzzy Hash: A5319A316082498FC754DF68D8A0669BBF2BF81310F1885AED545CB3A5DB31ED45CBA2
                                                        Function 07145192 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8316533f9ec968cf7f46bf30096e62c95983752a4ccf4e7571312d764979c1bb
                                                        • Instruction ID: b0db238b1cb15dc5f98d647ee0470d0f6f37f876496c259aeca5a4646b98c199
                                                        • Opcode Fuzzy Hash: 8316533f9ec968cf7f46bf30096e62c95983752a4ccf4e7571312d764979c1bb
                                                        • Instruction Fuzzy Hash: 933181B5B00205DBCB14DBA5D594AEEBBF7EF88250F04442AD902F7390DB749D51CBA1
                                                        Function 038040A0 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 50b1526c968ec8bf83b82efae569bbbba18379d40bf6ade9962d285f1108ce52
                                                        • Instruction ID: ce4362327c2668b4cd36d138a162ea5def1d38593cf9a1267761013f998c9121
                                                        • Opcode Fuzzy Hash: 50b1526c968ec8bf83b82efae569bbbba18379d40bf6ade9962d285f1108ce52
                                                        • Instruction Fuzzy Hash: 79312C74A00219CFCB44DFA9D8949AEB7F2FF48304F1485A9D515AB3A1DB34AC01CF91
                                                        Function 0380F828 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cae1eed63c0c3262b747b07c71c27f3cf61dcd51a710ba03dda8b14c51d7dc26
                                                        • Instruction ID: d577742a76bb2fab7c227a37ebd28d7d7845531049fb3c8f35cceddd723b627d
                                                        • Opcode Fuzzy Hash: cae1eed63c0c3262b747b07c71c27f3cf61dcd51a710ba03dda8b14c51d7dc26
                                                        • Instruction Fuzzy Hash: ED21AB31B042149BD734AA79985C77B7A96AFC4755F1484BDCB828B3D0DE758C82C3E4
                                                        Function 11C937A8 Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc3fc060d255f5f262dbcf8800172cb7e5f33a5d0289aeacce84e7c18a8d5a21
                                                        • Instruction ID: 7303b1b6715f0c2ee42aacb8f0284dd1e6227d8d9aabdb95134067494d5d8519
                                                        • Opcode Fuzzy Hash: cc3fc060d255f5f262dbcf8800172cb7e5f33a5d0289aeacce84e7c18a8d5a21
                                                        • Instruction Fuzzy Hash: 042109B63505149FD744DF6DD884E29BBEAFF88B11B118169F609CB761CB71EC018B90
                                                        Function 071451A0 Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0de8bbe6babfec08d2dc80ea1b034229e385aca15978e1d07ec29569400da30c
                                                        • Instruction ID: e1a7f26d23617904b23e5310bd3f3beba108d5669407c6066a55559f069a3696
                                                        • Opcode Fuzzy Hash: 0de8bbe6babfec08d2dc80ea1b034229e385aca15978e1d07ec29569400da30c
                                                        • Instruction Fuzzy Hash: 953141B4B04205CBDB14DFA5D594AAEBBF7EF88650F04442AE902E7390DB74DC11CB61
                                                        Function 03804091 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 85a5a6566276359ab43db85fc41a27f454a76ad475958e13e630bd5768b5795a
                                                        • Instruction ID: 0c2ff5dee23098acc8d547e6505404105177d94a17bb489f623e717e7da5830a
                                                        • Opcode Fuzzy Hash: 85a5a6566276359ab43db85fc41a27f454a76ad475958e13e630bd5768b5795a
                                                        • Instruction Fuzzy Hash: 92312B30A0021ACFCB54DFA9C894AAEB7F2FF48304F1485A9D515AB3A5D734AD01CF91
                                                        Function 038067D8 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f0720bc4fff5c08001a6eeaaaf024748a831b77d8f4aa749a17712a60f5deb9b
                                                        • Instruction ID: 9387dccd7f630164d352a47f43dc712e75f714123c7a7b08e14fcb55321f2fc9
                                                        • Opcode Fuzzy Hash: f0720bc4fff5c08001a6eeaaaf024748a831b77d8f4aa749a17712a60f5deb9b
                                                        • Instruction Fuzzy Hash: 0E210532B042048FCB44DBA8DC505BEB7A6FFC1210F1885AAD604DB281EF719D1587A2
                                                        Function 03806F23 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 055b23e8894e8d2763cd62b541e27b35fc7514e8196266438e8c2459969c9c78
                                                        • Instruction ID: ba6cdb96177fe6e21d3f0f34a4451e7e1a529d56ee91c22e19ff58f6be660356
                                                        • Opcode Fuzzy Hash: 055b23e8894e8d2763cd62b541e27b35fc7514e8196266438e8c2459969c9c78
                                                        • Instruction Fuzzy Hash: 1D21B03A7006228BDB65CB79D85466A73AADFC4769F0844FAE906C7390EF35DC128780
                                                        Function 01DEECB0 Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665929648.0000000001DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01DED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ded000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 13fe22955a6183530f6ec4cbb6dc8dda9c0e2a2b5f8dd3f439031fb1112a41e5
                                                        • Instruction ID: 362273d48826d17d5fde915a43e3f3a35c616a504dae9f6c86e2e04aca650e38
                                                        • Opcode Fuzzy Hash: 13fe22955a6183530f6ec4cbb6dc8dda9c0e2a2b5f8dd3f439031fb1112a41e5
                                                        • Instruction Fuzzy Hash: CF31D572100240EFDF06AF5CC9C4F267FA6FB88310F248699ED490A256C337D866DB62
                                                        Function 038067E8 Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0fcaeca66e3bab7ebaf0d484ceb7c5daf3e76819386049af348968f56df2d32f
                                                        • Instruction ID: 75877b88ab46206b3966b0d84c1f41681f46ed460cf800d6e1bdfd1574f3d3e3
                                                        • Opcode Fuzzy Hash: 0fcaeca66e3bab7ebaf0d484ceb7c5daf3e76819386049af348968f56df2d32f
                                                        • Instruction Fuzzy Hash: 05210636B002048FCB44DBA9D8504BEF7A7FFC0210B18856EDA15D7384EF719D158BA2
                                                        Function 01DEEBB4 Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665929648.0000000001DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01DED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ded000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 38387a80c743f195195fb38111a95c91424e60dbbe2458d8fba0e159d9dec274
                                                        • Instruction ID: b57b1b315f0fcda9e1c022de87a5ae053d914f84f00802b5471a2ca97cc289f1
                                                        • Opcode Fuzzy Hash: 38387a80c743f195195fb38111a95c91424e60dbbe2458d8fba0e159d9dec274
                                                        • Instruction Fuzzy Hash: E7212C72104200EFCF069F54D9C8B16BFA6FB8C315F24C699ED094B256C336D425CB62
                                                        Function 11C96AAE Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 082413cb65a36bc9cc062096fb64c7f50ce39d0bdb655c6ea7412f9b634aa653
                                                        • Instruction ID: 9fe9827165e94c3d1f8a5a735a4747a37a5cc36a084fc6d6310fce1cf25e6560
                                                        • Opcode Fuzzy Hash: 082413cb65a36bc9cc062096fb64c7f50ce39d0bdb655c6ea7412f9b634aa653
                                                        • Instruction Fuzzy Hash: 2631C570F082ADCBCB19CF2AC555A99B7B1EB48704F1084A9E1199B290EF35DD82CB51
                                                        Function 0380587F Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a09ac628143d939241e23c6deedc53dac2d43e465ad58e3651ea78803bcfa47b
                                                        • Instruction ID: 4ba0ebac5720b26d3f35bd46680504fe2ae6cbae35a7b2fbb6cc9a410ccdc63a
                                                        • Opcode Fuzzy Hash: a09ac628143d939241e23c6deedc53dac2d43e465ad58e3651ea78803bcfa47b
                                                        • Instruction Fuzzy Hash: B5210F31B042559FC305B768E81852EBBE7FFC9A00B14C06EE606C7388CF689C068796
                                                        Function 07148999 Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 357a7bc106741a030f46023b3c5a27c838d82929b0434772fa7c0713a12459bf
                                                        • Instruction ID: f769ae623474b09356672c82f2586ba825828aade2a76f56d1d9b5a9ef75dc32
                                                        • Opcode Fuzzy Hash: 357a7bc106741a030f46023b3c5a27c838d82929b0434772fa7c0713a12459bf
                                                        • Instruction Fuzzy Hash: F6113375300611ABC7166B38B46153E7BAAFFC2A54304442ED0069F380CF6CAC06CBD6
                                                        Function 11C96A54 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e6bed6a83529a1b2694c0996822645775916ef5bfea6bf56d1459ff2abe2b0ca
                                                        • Instruction ID: c60911d8a0f8b60522bc9b38949f7528da37f259af00efe5124771a14cd16eca
                                                        • Opcode Fuzzy Hash: e6bed6a83529a1b2694c0996822645775916ef5bfea6bf56d1459ff2abe2b0ca
                                                        • Instruction Fuzzy Hash: 7521D670F0816DCBCB19CA2AC564AA9B7B2EB48744F1044A9F409DB390EF35ED42CB51
                                                        Function 01DED01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665929648.0000000001DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01DED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ded000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe141bcf8ebf769c3b2d25b1bfc5bf879cce079f5982f736a57851f313671379
                                                        • Instruction ID: f56df628279b7b3754c54b469d874b3856463fe989f262452afc1bc740b8e47f
                                                        • Opcode Fuzzy Hash: fe141bcf8ebf769c3b2d25b1bfc5bf879cce079f5982f736a57851f313671379
                                                        • Instruction Fuzzy Hash: E1213771504600DFCB11EF58D9C8B26BFA2FB88355F28C56DD8494B246CB37D847CA62
                                                        Function 11C92136 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 374aabad2cf8ef955aafd66a96fd0d01a24d8d29fb9ab260eb7f51823bfb6e53
                                                        • Instruction ID: 9f360e0d1717fd68786b47ac9b559aacf8dcf185ad7ac10874737864662b65bd
                                                        • Opcode Fuzzy Hash: 374aabad2cf8ef955aafd66a96fd0d01a24d8d29fb9ab260eb7f51823bfb6e53
                                                        • Instruction Fuzzy Hash: 17215CBAA01119CFD704DFA5D854BAEBBB2EB48711F1084A9E546EB3A0DB34DC42CB50
                                                        Function 03809EF0 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da54c5205daeb665ea58676ec4513d9777763dbd3090309ef4fe9f0126ee05cf
                                                        • Instruction ID: de0e7609dc0b835987e631e8595bd74925c873ff241a1e9e6a530c974c40fbc2
                                                        • Opcode Fuzzy Hash: da54c5205daeb665ea58676ec4513d9777763dbd3090309ef4fe9f0126ee05cf
                                                        • Instruction Fuzzy Hash: BE218E353006009FC324DF6CD88095ABBE6EFDA72072585A9E559CF3A2DB31EC02CB90
                                                        Function 07144548 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8fb59680f6ff0c1952f978dfde3a50f0fddbf3ecf5e0f314e53525f200d4d3f
                                                        • Instruction ID: a5918ecb8e084dd5f6caf34dba0e1a717d42a6cd93ab34a5a465853e0d68ba2b
                                                        • Opcode Fuzzy Hash: a8fb59680f6ff0c1952f978dfde3a50f0fddbf3ecf5e0f314e53525f200d4d3f
                                                        • Instruction Fuzzy Hash: 3D21A5F5E28284DFCF0D9BA4A41067D77B5FB96250F52842AED039B3D0DB358D028B92
                                                        Function 11C96B42 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fb7a54757bb5cbb36ce6e825550f80ec9f716cce4e277c19127dcaa0f790d7c3
                                                        • Instruction ID: 5143bde84e10b46de477e184943023022348acc70965f1f9533924986617d004
                                                        • Opcode Fuzzy Hash: fb7a54757bb5cbb36ce6e825550f80ec9f716cce4e277c19127dcaa0f790d7c3
                                                        • Instruction Fuzzy Hash: 6421E370F081ADCBCB59CA2AC554A99B7B1EB88704F1144A8F509DB290EF35EE82CB51
                                                        Function 11C92E86 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 611a040b9fcab45ae29fdfc439d75bb88e746a5e87914710f273b7f0571fd36b
                                                        • Instruction ID: ad493372e86c73d264cee36e58907add0105752d30f17dd2d1c92fd4ca51a3f9
                                                        • Opcode Fuzzy Hash: 611a040b9fcab45ae29fdfc439d75bb88e746a5e87914710f273b7f0571fd36b
                                                        • Instruction Fuzzy Hash: 48314635A00615CFD714CF65C884B8AFBF2BF89310F11859AE94AAB7A1DB70E985CF00
                                                        Function 11C90006 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 655e338f15890211f7526a7d5478dbe1acea4deb1b5786cc5f4e9d7352143c04
                                                        • Instruction ID: 4d45a93dfa2f7d3b078f9799dcf05f5fc5829ab26082cb81a13256d1d329d90b
                                                        • Opcode Fuzzy Hash: 655e338f15890211f7526a7d5478dbe1acea4deb1b5786cc5f4e9d7352143c04
                                                        • Instruction Fuzzy Hash: A421507190A389EFCB06CF69D85058DBFF5EF8A210B1580AAE845DB352EA349C16CB51
                                                        Function 03807AB5 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6dc412ee44577f0e947e51085adf952bc6fc15f5cc98b10338494d4438ddd51d
                                                        • Instruction ID: 40995a7a0a489e48cfc54ab45a5c59c4bfca4661deff34ea2b0e08922637b69b
                                                        • Opcode Fuzzy Hash: 6dc412ee44577f0e947e51085adf952bc6fc15f5cc98b10338494d4438ddd51d
                                                        • Instruction Fuzzy Hash: F22136B57002899FCB42CBB4C950AA97FF6FF9620472840DAD404DB2A3DA369E02C751
                                                        Function 071489A8 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 515702d2a03341901130abab54b45b8e3be0ab4ce3a706620e4091083bb55270
                                                        • Instruction ID: 15dc043043dcd24c0ce3f8cd45ed0f0c63ac8b1f9c368e927bfeb2091355810d
                                                        • Opcode Fuzzy Hash: 515702d2a03341901130abab54b45b8e3be0ab4ce3a706620e4091083bb55270
                                                        • Instruction Fuzzy Hash: 391131B1700A11ABC7066B34A46153EB7ABFFC6A54740452DD1069F380CFACDC02CBD6
                                                        Function 07145870 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e545b84c908f8c2e2451460cfb83f74c8660f673179668b7b8dc134bb07c6399
                                                        • Instruction ID: cdf8d84b552f5fec07d6860f55611b56e3638797d39f876bd25d305aec34df33
                                                        • Opcode Fuzzy Hash: e545b84c908f8c2e2451460cfb83f74c8660f673179668b7b8dc134bb07c6399
                                                        • Instruction Fuzzy Hash: 1A31BDB4D25228CFCB648F29C9417D8FBB6BB4A710F5181EAE14DA7251C7B00A90CF91
                                                        Function 07144558 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5f85fd7c16fdcb69467f3ea1070181cb56f6fb40fadf0ce11618d4162c473ade
                                                        • Instruction ID: 94bc91c33488cf722fea56ba448980a2ad393f49502274e6a8eef6b57a789bc3
                                                        • Opcode Fuzzy Hash: 5f85fd7c16fdcb69467f3ea1070181cb56f6fb40fadf0ce11618d4162c473ade
                                                        • Instruction Fuzzy Hash: CF1193F4A28185DF8F0C9BA4941067E77B5FB86250F52442AED03AF3C0CB359D018B92
                                                        Function 01DEECAB Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665929648.0000000001DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01DED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ded000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d39eb1c418a1312e34a26b2aed914c09485f9c4a59f3ca63c72ec4de59b8eece
                                                        • Instruction ID: ea01332e3b35156638ee60a2a500b2ac54b26d3c348fa0f30730ecff50a58a96
                                                        • Opcode Fuzzy Hash: d39eb1c418a1312e34a26b2aed914c09485f9c4a59f3ca63c72ec4de59b8eece
                                                        • Instruction Fuzzy Hash: 3E218076404280EFDF029F58D9C4B55BFB2FB88310F248699ED490A26AC337D466DB51
                                                        Function 038060B3 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7274f23272cb800f9640e9956b38f4186d8998f94a4a190990caf4c6b1eeea88
                                                        • Instruction ID: 172dc04961db46a3639fc1367f788a083a1697aba75613b20026b49f7ba27827
                                                        • Opcode Fuzzy Hash: 7274f23272cb800f9640e9956b38f4186d8998f94a4a190990caf4c6b1eeea88
                                                        • Instruction Fuzzy Hash: 261104752043068FC724DFA8DC8492ABBF6FF85210B1445ADE686CB381EB71EC018BD5
                                                        Function 038058A0 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f218698806d88c8826787d8ed7980f72dc95b58e7d6204cdb5fc5c00e5f05ae8
                                                        • Instruction ID: 4931502c56ca054ea3fe046006a28d72869c93cf9527b8a8b3f0c8372563ba34
                                                        • Opcode Fuzzy Hash: f218698806d88c8826787d8ed7980f72dc95b58e7d6204cdb5fc5c00e5f05ae8
                                                        • Instruction Fuzzy Hash: 2F118F31B101159FC604B769E81852EB7D7FBC8A10B10C42ED706C7388CF789C068796
                                                        Function 0714C509 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f76ca7d743e5cd1244caee261079f835f4926c57ecd1df225826ad9cc4b39f52
                                                        • Instruction ID: 2b52f66d2fe3753baf55d3bd9d5d8c795bc97f8e117becb57070ec02105b63fe
                                                        • Opcode Fuzzy Hash: f76ca7d743e5cd1244caee261079f835f4926c57ecd1df225826ad9cc4b39f52
                                                        • Instruction Fuzzy Hash: DF11EFB53066018FDB36EF39E460A7FB7B9AF85614B05446DD14A8B6A1CF20A800C7F1
                                                        Function 03804133 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4033515090c02f4ae49d5b4160266dfbef32ac07a3caa4e0a7a88e5c2912819b
                                                        • Instruction ID: db58ae20a1f181ff52de723f39bbde4685c49c7b6894384764427cdc9545661d
                                                        • Opcode Fuzzy Hash: 4033515090c02f4ae49d5b4160266dfbef32ac07a3caa4e0a7a88e5c2912819b
                                                        • Instruction Fuzzy Hash: 37215B34B00206DFCB54EBA9D854AAEB7B3FF84304F14C4A9D5068B3A4DB359C01CB41
                                                        Function 07141471 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1cb997c7e741036aace2110380579ac26e6e68d5abd94cad206a32c4aa66426d
                                                        • Instruction ID: 56947089ace5cbf4a11ed84a780ee6c61d324282075a23f35ea2feeab61cb18e
                                                        • Opcode Fuzzy Hash: 1cb997c7e741036aace2110380579ac26e6e68d5abd94cad206a32c4aa66426d
                                                        • Instruction Fuzzy Hash: 0321C070704645CFC311DF38E8588A9BBB2FF8530470985A9E24ACB7B2DB35AD45CB81
                                                        Function 01DED005 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665929648.0000000001DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01DED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ded000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b41ac76e3caa2e343d4b8f3e86d4484c2876946209af5edfa96fc8bc6bacfdb1
                                                        • Instruction ID: 0149b154c9fa2549fcbc6d56f59a157a18c752e0053756cf5e1ddd3b2d92b890
                                                        • Opcode Fuzzy Hash: b41ac76e3caa2e343d4b8f3e86d4484c2876946209af5edfa96fc8bc6bacfdb1
                                                        • Instruction Fuzzy Hash: CA21A7755097808FDB13CF24D994715BFB2EB46214F28C5EAD8498F297C33A980ACB62
                                                        Function 01DEEBAF Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665929648.0000000001DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01DED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ded000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 64ec72785ff453773eb387e2e8981fa770b94824ae4de1fc451089eaefed3b12
                                                        • Instruction ID: 7d64ec39f419f51e03cfe563933fa93408df619faa3b6a6aa1e8c43d8b423905
                                                        • Opcode Fuzzy Hash: 64ec72785ff453773eb387e2e8981fa770b94824ae4de1fc451089eaefed3b12
                                                        • Instruction Fuzzy Hash: B9218EB2504240DFCF128F64D9C8B56BFB2FB88314F248699ED080A25AC336D426DB51
                                                        Function 03808089 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b6d59df441c2c063d3d8844339bcae86f2808f9e98baf3930f666dec8f601b88
                                                        • Instruction ID: fe971cdcfd22e20f35ea96553c342a87f295016b502cdec580d2f66bc4362747
                                                        • Opcode Fuzzy Hash: b6d59df441c2c063d3d8844339bcae86f2808f9e98baf3930f666dec8f601b88
                                                        • Instruction Fuzzy Hash: C0018C337052149FDB14CAA9BC84BEBB7EDEFD4365B18847BE505C3281DA769840CBA0
                                                        Function 038040ED Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a80d526032955a0f6b6663d3aa2e9c3fd7d74849de76b45df8338b8bc0a9144
                                                        • Instruction ID: 148799127306aca6dbe3fef2415ab310eec2c85d4852a3222d47047818a7fd37
                                                        • Opcode Fuzzy Hash: 1a80d526032955a0f6b6663d3aa2e9c3fd7d74849de76b45df8338b8bc0a9144
                                                        • Instruction Fuzzy Hash: 60213834A00209CFCB54EBA9D8949AEB7F2FF84304F1489A9D6169B3A5DB35EC01CF41
                                                        Function 07142F60 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 841a841c494875a85a81ab8ce0fb086e00880ed328e4d54468feccee5cd7bbc7
                                                        • Instruction ID: 1c821cd9062d19dc473ba0b7317d535202364505c1a8323abd7fdc66895663d5
                                                        • Opcode Fuzzy Hash: 841a841c494875a85a81ab8ce0fb086e00880ed328e4d54468feccee5cd7bbc7
                                                        • Instruction Fuzzy Hash: 5A11FB76910118AFCF458F98D884CDABFB6FF4C310B0580A5FA14AB266C731D825DFA0
                                                        Function 0714BF8B Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 31f39aa5bd0511bfa114ed7ff01e8ea02dbd2d06de3b10a2dead2b21befebf11
                                                        • Instruction ID: bebf76a7c36053c18f0bf9a374683ecbd64635266b8408f8c04b8061d6b3b0f4
                                                        • Opcode Fuzzy Hash: 31f39aa5bd0511bfa114ed7ff01e8ea02dbd2d06de3b10a2dead2b21befebf11
                                                        • Instruction Fuzzy Hash: 6921DAB4A15206DFDB24DF64D594A6EBBB2BF48311F204058E906AB3A1CB31ED41CF50
                                                        Function 03804E10 Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a549bb88610b90bc52dbb8aa0d15b1cc486a92fc8e4b6d0b8ca58c52bce6af1
                                                        • Instruction ID: 0e460ae6d623570d5f97df1affa545794bdc8a5958587a503cafc0d088af7cf0
                                                        • Opcode Fuzzy Hash: 2a549bb88610b90bc52dbb8aa0d15b1cc486a92fc8e4b6d0b8ca58c52bce6af1
                                                        • Instruction Fuzzy Hash: BE114C316042459FC714EB69E84096BBBA3FFC1714B00CD2DD30A8B694DFB5AC0A8BD6
                                                        Function 038086FD Relevance: .1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03a066a2af0f19d68a3dde0b3b7ae14853f6b311ea5f3c74e5cdd893491fe1aa
                                                        • Instruction ID: 4ff1ca0542d5b78f5518a1a15c4b96bbe8d80f24824a11ac6b654b4afb21b622
                                                        • Opcode Fuzzy Hash: 03a066a2af0f19d68a3dde0b3b7ae14853f6b311ea5f3c74e5cdd893491fe1aa
                                                        • Instruction Fuzzy Hash: 77218E74600219CFCB10DF68D88499EBBB2FF88310F0146A9D5159B3A6DB34ED95CBD5
                                                        Function 11C93270 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5b735149148261c30f6e0167d34eb99a760f060a5755eee0a04e9344b679526a
                                                        • Instruction ID: 433b80b275e9d9f3ac8463a13a0c2877d7992db9f47294906d0f42ee20ef9300
                                                        • Opcode Fuzzy Hash: 5b735149148261c30f6e0167d34eb99a760f060a5755eee0a04e9344b679526a
                                                        • Instruction Fuzzy Hash: BC11A031208A54CFC765DFB8D898A457BF4EF4A324B0665DEE48ACF663C721E806CB51
                                                        Function 038060C0 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c4b6712cbc0cdded1c7a34468d73eed257ce76fb21625d996d43a310f57153a5
                                                        • Instruction ID: 327da347ca4df197d38b1dc581c4ff1b56fad4aae6d1dfee7af88598861e5401
                                                        • Opcode Fuzzy Hash: c4b6712cbc0cdded1c7a34468d73eed257ce76fb21625d996d43a310f57153a5
                                                        • Instruction Fuzzy Hash: 2411A3757003168FC724DFA9D88492AB7EAFF85250714456DE646CB380EB71EC018795
                                                        Function 038073D8 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b56090961a1bfd89b710aecf17510eb8ecf900f24e99e4c3f5d5e4dad7a20110
                                                        • Instruction ID: cf9aedf2dd55bc0a317a30dc9ed2b6c82ef4cb6366370ebe404ab0b33fb89e40
                                                        • Opcode Fuzzy Hash: b56090961a1bfd89b710aecf17510eb8ecf900f24e99e4c3f5d5e4dad7a20110
                                                        • Instruction Fuzzy Hash: 6F11E371E046469FCB00DFA8EC804AEFFB5FB85200B04856AD618D7350EB34AD148BD2
                                                        Function 03808128 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec1c7fcb3bc751f7ce3d5f1e13fde3a60457f555b4f89729843f4b6cb1fad196
                                                        • Instruction ID: c797270511f1ad13750176351c20ab47a422fe2c6a57e4b4663cc93d38fefa9d
                                                        • Opcode Fuzzy Hash: ec1c7fcb3bc751f7ce3d5f1e13fde3a60457f555b4f89729843f4b6cb1fad196
                                                        • Instruction Fuzzy Hash: A411E931A00209DBDB54DBA5D9597AEBBF6FF48700F1440ADE402E7385DB759E80CBA0
                                                        Function 03808F70 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cb35b6312bd9e6be82290875afc2170ed4a52ef1723a6b1b49f4d1831b4d73d0
                                                        • Instruction ID: 6690eed5559163432ed00c69a0dc8071a516ac77bb8fdfd9b4975231c7a06a81
                                                        • Opcode Fuzzy Hash: cb35b6312bd9e6be82290875afc2170ed4a52ef1723a6b1b49f4d1831b4d73d0
                                                        • Instruction Fuzzy Hash: 1711E136700208DBCB54DEA8DC445CA77F2EF89321F00C166E905EB394DB349E15CB90
                                                        Function 11C917C9 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b258c4ae370da3f389d6067b5282ba3b83943a36ccee7a6c5dbce1d23fd53629
                                                        • Instruction ID: 8023e3baac9db35d35462bc4e57ab50c119919d8163e3eb1d88528a145e547f5
                                                        • Opcode Fuzzy Hash: b258c4ae370da3f389d6067b5282ba3b83943a36ccee7a6c5dbce1d23fd53629
                                                        • Instruction Fuzzy Hash: 14019A71B0415ADF8B049B6E9812A6FB6B5FFC9660B02806ED506DB210FF208D12DBE5
                                                        Function 03803283 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cf1fdc55f1f95ed0ce72d727b6aacda616bc45d5ffac29d562d667813965864
                                                        • Instruction ID: a8bb4802360e9b0b8184e45c72b94baaf28f3cdd465c4b1830c8a979ba82c26c
                                                        • Opcode Fuzzy Hash: 4cf1fdc55f1f95ed0ce72d727b6aacda616bc45d5ffac29d562d667813965864
                                                        • Instruction Fuzzy Hash: 67118E34D08389AFCB41DFF8D89099DBFB0FF45200B0189EAC405D7382DA74AA45CB51
                                                        Function 0380A284 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9f38ae9a084beb7f89cf902cf8bce6b18ab990005a136a0ec9f83d30a2362793
                                                        • Instruction ID: b69821812f8c9a893490611c0d6dd1bc2e6acd03a7b490571f639193eca84207
                                                        • Opcode Fuzzy Hash: 9f38ae9a084beb7f89cf902cf8bce6b18ab990005a136a0ec9f83d30a2362793
                                                        • Instruction Fuzzy Hash: 600126323083588BCB6D81F88D1016A76DAAB84218F0041F6C802D36C5EA6A9C25C382
                                                        Function 03803233 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 36fb80c59ade39aa837d3f7733ab67cefc3a0bbb918860ed47a2fca5f3804f1e
                                                        • Instruction ID: 8559ddf2df601f750a929260b4624b1f7d2bef94885ad0590be7471fbe668125
                                                        • Opcode Fuzzy Hash: 36fb80c59ade39aa837d3f7733ab67cefc3a0bbb918860ed47a2fca5f3804f1e
                                                        • Instruction Fuzzy Hash: 75116D34A0424EEFCB44DFBCEC909ADBBB1FB85244B108A99C50697380DB346E00DB85
                                                        Function 03804970 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b96947394a448576c41093d558b9cc79b1683340316b66adf3545987679dabd8
                                                        • Instruction ID: b12b88f242e8d638bf5f767a3c176199d01be565c6c3ae097a1cafde8afb67a5
                                                        • Opcode Fuzzy Hash: b96947394a448576c41093d558b9cc79b1683340316b66adf3545987679dabd8
                                                        • Instruction Fuzzy Hash: F511E5726087548FC751A769E84475ABBA2FBC1610B0489AEC20ACB285DF745C058B93
                                                        Function 038078BF Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0f36a4c4a8ade0777c53091e2e15ed758fe4cf6f1c7cd3d10c4dc6ddbae6af1d
                                                        • Instruction ID: 8b0fad60e64215289c6aa5ba862b0d997b57e13bc45b16197bfa7f37b7660c96
                                                        • Opcode Fuzzy Hash: 0f36a4c4a8ade0777c53091e2e15ed758fe4cf6f1c7cd3d10c4dc6ddbae6af1d
                                                        • Instruction Fuzzy Hash: 23112B719042499FDB14DFA9C954AEDBBF6AF48310F1884A9E814F7290DB756900CB60
                                                        Function 03803C10 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc36f2669a14d6e151f6df5feeacd81f9c152db0fa30516d6e1ab7b0a8376713
                                                        • Instruction ID: a21c81b2b86a63f300108c5f7ac85a6b556e81de7a712014d17330e2fbf0c3e7
                                                        • Opcode Fuzzy Hash: bc36f2669a14d6e151f6df5feeacd81f9c152db0fa30516d6e1ab7b0a8376713
                                                        • Instruction Fuzzy Hash: FF11C435B082959BD351EB79EC506697B96FBD1244B0485FAC604CF389EBB4CD058783
                                                        Function 11C96340 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b50a3cfa566b100708e4a2f3d1cc2ff7162911c6153b5afae7b86b7d8081cf6a
                                                        • Instruction ID: cb115d8d4643e67436ace38843355db065e57de0a48e530bc570ba158121a60b
                                                        • Opcode Fuzzy Hash: b50a3cfa566b100708e4a2f3d1cc2ff7162911c6153b5afae7b86b7d8081cf6a
                                                        • Instruction Fuzzy Hash: D6111675640B549FD360CF28C484B26B7F5BF89B10F15869DE48687BA2C771F845CB50
                                                        Function 0380811B Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d698aa27cd445d51351a6d8beeb27e26b52dd2fda1f48813918a5c6aca7e4a86
                                                        • Instruction ID: d7d0ac2bc8a5ed535e4a1c45f0d0a6515d1a613f820f3b67200be17570290471
                                                        • Opcode Fuzzy Hash: d698aa27cd445d51351a6d8beeb27e26b52dd2fda1f48813918a5c6aca7e4a86
                                                        • Instruction Fuzzy Hash: 2611C831A00208DFDB54DBA4D8596EEBBF6EF88311F184069E402E7395CB759940CBA0
                                                        Function 071413D0 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c81b7859c509688fe7d3ccc6c932911c3036467dfe108ea122354188c45698ea
                                                        • Instruction ID: f3efaf102c73902dd63517935a8bbfbd7f01f8296c8ec3ec7b7205ad2c98d482
                                                        • Opcode Fuzzy Hash: c81b7859c509688fe7d3ccc6c932911c3036467dfe108ea122354188c45698ea
                                                        • Instruction Fuzzy Hash: 07111C31200A01CFC324DF29D448D56BBF2FF88715B118969E24A8B6B1DB75ED09CBD5
                                                        Function 03805390 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a91c16a10c9244f2f58b0f4b9a4e156cfab21ac49eca7db538914b9389d95d2f
                                                        • Instruction ID: 0e7317a154c25913f0610b1e1951dc40ac1d129bf1970bce3c4cc6666805c3c6
                                                        • Opcode Fuzzy Hash: a91c16a10c9244f2f58b0f4b9a4e156cfab21ac49eca7db538914b9389d95d2f
                                                        • Instruction Fuzzy Hash: 220126727047018BD318AA6AFC507AAB793FFC5B20F09C839D6048B1C4DF744C0687A2
                                                        Function 11C96350 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 81cc51c32ac268b1720a95c3ff773d3f9a92b34682b89b4bffde8c2c7cf68fe4
                                                        • Instruction ID: aa94265138ef6fabf29dfbe799d8d07e22baf4ed103f93673576a145dd3639e6
                                                        • Opcode Fuzzy Hash: 81cc51c32ac268b1720a95c3ff773d3f9a92b34682b89b4bffde8c2c7cf68fe4
                                                        • Instruction Fuzzy Hash: F8117975200A54CFD360CF28C484E22BBF4FF89B20F148A9DE48A87BA2C631F805CB40
                                                        Function 11C92F69 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf484cd2a6d30b0fd274472773b79d4675cb9b91c196994ab0c3f46c5684a12b
                                                        • Instruction ID: 9b74383d7e382fc1f3d5748e53e22a085b33493f0ec70787f0e361518973dc41
                                                        • Opcode Fuzzy Hash: cf484cd2a6d30b0fd274472773b79d4675cb9b91c196994ab0c3f46c5684a12b
                                                        • Instruction Fuzzy Hash: 6B112E75E0031ACFCB19CF65C540A9EFBB2BF8A314F21859AE849AB250D770A985CF51
                                                        Function 01CCDA21 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665306735.0000000001CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CCD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ccd000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: acf253cdcb575bf93bf636578475f1fafdceab754706cb553bf19e610728315c
                                                        • Instruction ID: 6bcb470b49b605f1898f9160b9964ae35cdff120a5c3b611d9df190b4e4dd006
                                                        • Opcode Fuzzy Hash: acf253cdcb575bf93bf636578475f1fafdceab754706cb553bf19e610728315c
                                                        • Instruction Fuzzy Hash: 8901A271108340EAE7118AAECD85777BFD8DF41B20F18846EED4A4B282D279DD44C6F6
                                                        Function 038070B0 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ea852669800e6a62fc45c0f4ed99d7c61b11d3058511c3266aaaa337699a102c
                                                        • Instruction ID: 50a0350bd893c25af2b80f60fd2ff0e726503489843e3724e93c425a22e2c811
                                                        • Opcode Fuzzy Hash: ea852669800e6a62fc45c0f4ed99d7c61b11d3058511c3266aaaa337699a102c
                                                        • Instruction Fuzzy Hash: FC017136900109DFCB85DFB5D9488AD7FB6FF85300B0489AAD1059B2A1FF35AA14CF86
                                                        Function 0380700B Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 807332b05eb417f925717a06bfd09d745d4d45cf96b148c6b84da33e141bd32d
                                                        • Instruction ID: f28f764a72b315e666c40e4e26b3dae78fc117dc431523f287a80442b2fed58a
                                                        • Opcode Fuzzy Hash: 807332b05eb417f925717a06bfd09d745d4d45cf96b148c6b84da33e141bd32d
                                                        • Instruction Fuzzy Hash: AB11ED31904209DFCB41EFB4D5588AE7FB6EF85300F0489AED501AB290FF755A189F95
                                                        Function 03806E0F Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5e28d523eeefb741b895a879ae965c2255a991d2fa9a2eba081057128ff5e8c
                                                        • Instruction ID: bd454a1ae778d00bf869633637804ed030bebf21cac252486b2dcb127bb8ff13
                                                        • Opcode Fuzzy Hash: d5e28d523eeefb741b895a879ae965c2255a991d2fa9a2eba081057128ff5e8c
                                                        • Instruction Fuzzy Hash: D1012B718047848FC724DF79D804055BBF4FF4621071486DDC8598B2A2E331A905CBD1
                                                        Function 11C91058 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11c78cb9edc1c5a53eb9ca837eb2c55f4d948f5d9e5a8bf51ea342fb3fa9deb9
                                                        • Instruction ID: 6fc3322d2e7925fa133e256598c477229d93814b6d018b3a0d2fc569e8b36884
                                                        • Opcode Fuzzy Hash: 11c78cb9edc1c5a53eb9ca837eb2c55f4d948f5d9e5a8bf51ea342fb3fa9deb9
                                                        • Instruction Fuzzy Hash: 5EF02B327481DCDFCB16A626A417B5E73AAAFC1670F0415AED106CB291EE679C018762
                                                        Function 11C92378 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 351224439725756794824cdd482cac6e77c24746b8c43325d9a421327759bc5c
                                                        • Instruction ID: ca0d0633db6a4d93abd89599b5ff577e2be51e2465418858faf5cb40d65adda4
                                                        • Opcode Fuzzy Hash: 351224439725756794824cdd482cac6e77c24746b8c43325d9a421327759bc5c
                                                        • Instruction Fuzzy Hash: 5DF0C8733083949FC7061A69A81466E7F7BEBC761075580ABE455C7386CD25CD0783A2
                                                        Function 11C946A8 Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e6242f6235ddf7060b910dd2aa608e7ff54abe1a9bc6c8ac8232b5231f090c6b
                                                        • Instruction ID: 0609811ffb196e63c76d19398ac0e4de90565e7efaea6c899c704289348817e0
                                                        • Opcode Fuzzy Hash: e6242f6235ddf7060b910dd2aa608e7ff54abe1a9bc6c8ac8232b5231f090c6b
                                                        • Instruction Fuzzy Hash: 65F0FF7261031CDBC720CF2AC90426BFBFAAF85710B01846EE249C7240EB71A551CBE5
                                                        Function 07145460 Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 55c6e506d18c8cb329439f5fc985e71ba8b97542e49c265f7ed9ad2213ec0bbd
                                                        • Instruction ID: ecae4ff40559f39c1faf216c80c5a431923015578d22388729dcaf7103203844
                                                        • Opcode Fuzzy Hash: 55c6e506d18c8cb329439f5fc985e71ba8b97542e49c265f7ed9ad2213ec0bbd
                                                        • Instruction Fuzzy Hash: 790174B0D0130ACFCB04AF7898092EE7BF6EF09214B60486AD405EB341EB399942DBD0
                                                        Function 11C90040 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a120e27962f86b826abc0f76014d78acad9d1a7936f9d266a883e554aa54241
                                                        • Instruction ID: 1e3f90f6e7e8c2325fa382d68f33d5646ae3287bb4480429fc6b0575e88f7fe3
                                                        • Opcode Fuzzy Hash: 8a120e27962f86b826abc0f76014d78acad9d1a7936f9d266a883e554aa54241
                                                        • Instruction Fuzzy Hash: 5901A975E0121CEFCB14CF9AE54099DBBFAFB98350F108029E919A7354EB74AD418F91
                                                        Function 0714E010 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e492ae310f80b0c57b957849ab3aa8d478d4910a09f4bd81fc45f35ad449b8d
                                                        • Instruction ID: 59734d4b36532ddc95dd31ba1fbad516b8a71843d5a9557b805012bb0043b9de
                                                        • Opcode Fuzzy Hash: 5e492ae310f80b0c57b957849ab3aa8d478d4910a09f4bd81fc45f35ad449b8d
                                                        • Instruction Fuzzy Hash: 46F0E2E232D240C6C22C5166389C67AA7D9F7C3125F06827BE17B8B2C2CB539C4E1322
                                                        Function 11C962C8 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec1710741075c5c7e77611b291eb1c00ef3ad63e8ef95d9bb572ca4fcc47caae
                                                        • Instruction ID: b8b38bc468c8ddfbae95b6e18d4e0179541556013a97d74501e7947845250eca
                                                        • Opcode Fuzzy Hash: ec1710741075c5c7e77611b291eb1c00ef3ad63e8ef95d9bb572ca4fcc47caae
                                                        • Instruction Fuzzy Hash: 60011735144794CFE339CF24D044B16BBF1AF0A715F5485ADE4864BBA1CB75E846CB10
                                                        Function 03807018 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9fd33aecb7e73d37b7f1f276a65b9516759dc344cd27c6a46e02d7df25c61ade
                                                        • Instruction ID: c174e0435f62582fef8b462141242fe5465db154c0eb7f2672e1e667347b4f8f
                                                        • Opcode Fuzzy Hash: 9fd33aecb7e73d37b7f1f276a65b9516759dc344cd27c6a46e02d7df25c61ade
                                                        • Instruction Fuzzy Hash: 9101CC31900209DFCB81EFB5D5444AD7FB6EB45300B1089AAC501AB290FF755A189F95
                                                        Function 0714B70A Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a072555e06bcc3c3376f1d497e475252f2407929d58955fd77c833dea6dc6a74
                                                        • Instruction ID: 99e1c2d457b6ec83ea71ed2a788ed7428ded5c50299ce51aee26ab40c9c2d90f
                                                        • Opcode Fuzzy Hash: a072555e06bcc3c3376f1d497e475252f2407929d58955fd77c833dea6dc6a74
                                                        • Instruction Fuzzy Hash: 03F02BB170A3409F8732826D785186A3769FBC607230504BAD904DB7C1CB24DC44C7A1
                                                        Function 07142CC0 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18cdbb885cc18328700ba92436fba411d547c82cbc28ce47f38eb3a35b48a0a7
                                                        • Instruction ID: fc1a1e424b20be0c2c8a66545de8cfd706df3475823a0bd043e809a52b1241d6
                                                        • Opcode Fuzzy Hash: 18cdbb885cc18328700ba92436fba411d547c82cbc28ce47f38eb3a35b48a0a7
                                                        • Instruction Fuzzy Hash: 0BF0E2763042115B93155AAEB8A442ABBDAFFC8126350813EFA4EC3380CE29DC0A8390
                                                        Function 07149778 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3028f272384d327756e127bea6cd3cc1e54dc45c9c99a8d34388c7175d27d57a
                                                        • Instruction ID: 99ebdbf808a7e37a5434f61aa77d417605e21b22151cb5d8056a1d5bc8534b54
                                                        • Opcode Fuzzy Hash: 3028f272384d327756e127bea6cd3cc1e54dc45c9c99a8d34388c7175d27d57a
                                                        • Instruction Fuzzy Hash: 05F0492140E3C4AFC713DBBCAC254EA7FB9DE0311470545DBD488EB1A3D9245E98C7A6
                                                        Function 11C91068 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a72bef2638bf01b3b380d7954582dccf67879e554f8cfab58c96ab4055b21f90
                                                        • Instruction ID: f810d5436b5281e756ba114709512b57a51e716c634a24538cc13d1b4803c959
                                                        • Opcode Fuzzy Hash: a72bef2638bf01b3b380d7954582dccf67879e554f8cfab58c96ab4055b21f90
                                                        • Instruction Fuzzy Hash: 26F02E317480DDDB8B09A627A412D2E73AABFC5A30704116ED207C7390ED27DC018792
                                                        Function 038032A8 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e8beceb1a87ae93dbe098718b82c2ade0fb227b7ab8454862115f270499f62be
                                                        • Instruction ID: f2aa34c82ea3b25d090e0a07ccc752525bb6a046d82e2dc6174916412eb291d5
                                                        • Opcode Fuzzy Hash: e8beceb1a87ae93dbe098718b82c2ade0fb227b7ab8454862115f270499f62be
                                                        • Instruction Fuzzy Hash: AE010C74E0424DEFCB44EFFCD8509ADBBB5FB44244B5089AAC505E7340EB745A01CB81
                                                        Function 03809161 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3c4eda041fc0aa7a6cd3ea7e8b490d3f90544915b6d6531b140be69c56ae874
                                                        • Instruction ID: 8dbd66a09fd5934f72c7fe84c64d72151ec2d6c3cb213a36f0ec03679a287a2f
                                                        • Opcode Fuzzy Hash: c3c4eda041fc0aa7a6cd3ea7e8b490d3f90544915b6d6531b140be69c56ae874
                                                        • Instruction Fuzzy Hash: D6F0BB71304211DFD3259765EC69A7BB7AEFBC9314F04847AF005C3384DE795C1586A4
                                                        Function 01CCD163 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665306735.0000000001CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CCD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ccd000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c8f8b41f45ac9c7edd29b44bd9dc340d02b112d032a29b5bcf06f5d215685947
                                                        • Instruction ID: fa6bbb4ea4d9724265e81634cc13e2e102e667ed17d94059bffb3fe13fd485f1
                                                        • Opcode Fuzzy Hash: c8f8b41f45ac9c7edd29b44bd9dc340d02b112d032a29b5bcf06f5d215685947
                                                        • Instruction Fuzzy Hash: 01F0E776600600AF97208F4AD984C23FBEDEBD5670715C5AAE84A4B651C671FC42CAA0
                                                        Function 03809FC1 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb00da769cf7b5d26430023c24adf9abb4c02993faf82392f6cf432d74b17dbd
                                                        • Instruction ID: 4ba1b050488b4ff7c80baec34dd9e02ca973cffb1e402e1ea620df985981c47f
                                                        • Opcode Fuzzy Hash: bb00da769cf7b5d26430023c24adf9abb4c02993faf82392f6cf432d74b17dbd
                                                        • Instruction Fuzzy Hash: 52F08C31B0420DCFC78DABB4E91842977A7FB80249B9588A8D103DB294DF7EDC42CB91
                                                        Function 0714B718 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ddaa9df25766ba2b7a9d21d6ed1a7e093934c34c3b1b19a52cb39a754ec52c44
                                                        • Instruction ID: 2a01b11e69d1a4d9b13369e966e6ec4e96e9435ef71968c9a2dd69beaa9bebe4
                                                        • Opcode Fuzzy Hash: ddaa9df25766ba2b7a9d21d6ed1a7e093934c34c3b1b19a52cb39a754ec52c44
                                                        • Instruction Fuzzy Hash: 3BF027F170A2109B4736966E685197E32AAF7C91767010439DA05CB3C0CF35EC05C7D5
                                                        Function 071456E0 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 668af6e5b6e0f4bcacbd57765f3a26aef4a9ba11dba8a08ef652a12893aa92bf
                                                        • Instruction ID: cd239bdde95489c9569190f0aaaa7535340d954cf6f6d27f590e7f19c8ed5d9d
                                                        • Opcode Fuzzy Hash: 668af6e5b6e0f4bcacbd57765f3a26aef4a9ba11dba8a08ef652a12893aa92bf
                                                        • Instruction Fuzzy Hash: 4DF0E07ED14159ABCB245B74E4054ED7BB67B09351F40046AE40767380DB704995CFF1
                                                        Function 01CCDA20 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665306735.0000000001CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CCD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ccd000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb4a4dd30567dc2d88f66605f18b24cf12d81f79383c5578c5fccabf50994b29
                                                        • Instruction ID: 86f90fd8b7934a2d60e200b687633d0de99c37ec87f0b548a0b7ee2835f59e7b
                                                        • Opcode Fuzzy Hash: bb4a4dd30567dc2d88f66605f18b24cf12d81f79383c5578c5fccabf50994b29
                                                        • Instruction Fuzzy Hash: 6AF0C271108344AEE7118A1DCD88B63FFE8EB41730F18C46EED494B282C278AC44CAB1
                                                        Function 01CCD154 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2665306735.0000000001CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01CCD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1ccd000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 97ce88701ae41a9ec5a564c07cc3bc4d35e38b912931cd7a206ee8c56ac5d2fb
                                                        • Instruction ID: f91c2c256ea0b98cbc6561d6f1c5998c430ded78c7ad9cab284bc68d76466aeb
                                                        • Opcode Fuzzy Hash: 97ce88701ae41a9ec5a564c07cc3bc4d35e38b912931cd7a206ee8c56ac5d2fb
                                                        • Instruction Fuzzy Hash: 84F0EC75104640AFD725CF46CD84C22BBF9EB867607158499E84A8B352C670FC42CFA1
                                                        Function 03807FD0 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9af8f32aaf51438ee970f65c57d5cac17f561ca5df5edb73c1c3d90f05a634a
                                                        • Instruction ID: d1ce8e8d89a9cc980b376453fae1dcfc7ce15fd3014aa9674f09eeaff3eecd96
                                                        • Opcode Fuzzy Hash: c9af8f32aaf51438ee970f65c57d5cac17f561ca5df5edb73c1c3d90f05a634a
                                                        • Instruction Fuzzy Hash: BDE065333042145B9B20999BBC84BBAFB9CEBC56B5F188077F609C7181DB75C841C6B0
                                                        Function 11C92C98 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fcb58f201e026af76b2c33bad08a5e734a53275d56b9ddff94fa0224009d0231
                                                        • Instruction ID: 89b5ff98565823e9143f49677b0f9cb6d37833bea317d1f0eaeb0fde1f20f147
                                                        • Opcode Fuzzy Hash: fcb58f201e026af76b2c33bad08a5e734a53275d56b9ddff94fa0224009d0231
                                                        • Instruction Fuzzy Hash: B6F08C32D042A9DEDB629FA885067AEBFB2AF05200F000068C999E7640E7346A15CBC2
                                                        Function 03803806 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fd0f75cbf03041a5864c592f0b3c8e60dab323081c1a201479fbe1038f477a81
                                                        • Instruction ID: 327ebeb2539a893286b8daaa35819c44984502bd04808696105d39bde5967e0f
                                                        • Opcode Fuzzy Hash: fd0f75cbf03041a5864c592f0b3c8e60dab323081c1a201479fbe1038f477a81
                                                        • Instruction Fuzzy Hash: 6FF0596A4092848FD785A3F89CA80343F71FA1714070C06DAE082C72A6D7A8540AC713
                                                        Function 03803C20 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 99388d749fae9e8b1458930e12ef30bb1e2fa517b342b20c12246bd823017748
                                                        • Instruction ID: a3ea2e0c749d8b9f14046963a153ac565f20e9b3ce93ed46ec12432c92bca78b
                                                        • Opcode Fuzzy Hash: 99388d749fae9e8b1458930e12ef30bb1e2fa517b342b20c12246bd823017748
                                                        • Instruction Fuzzy Hash: 5BF05831B0022A9BD384EBB9F84056A76DBFBC5644B009879C608CF388EEB4DD0547DB
                                                        Function 03809170 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 62b35d90fe52e79a1125e341139d92a65ec90db9d9a2fed68c92c08377d0edac
                                                        • Instruction ID: a7c3e9c179e47c4f57ac163966fb7b50dad82ce7c6a43d58c140a0f9ec2b1212
                                                        • Opcode Fuzzy Hash: 62b35d90fe52e79a1125e341139d92a65ec90db9d9a2fed68c92c08377d0edac
                                                        • Instruction Fuzzy Hash: 63F082727041159FD328D65AEC5897BB7AEFBC9214B04843AE009C3244CA799C0582A8
                                                        Function 03807FB9 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de9a51ff2046e4085f5e92e0ca9c330cbcd7ab15bf3386b6a58d0595dd3030e6
                                                        • Instruction ID: 81a032a9a4fcd5c18028b5bc7c93213d1263c67b55b31abae2045c9fa3ee381d
                                                        • Opcode Fuzzy Hash: de9a51ff2046e4085f5e92e0ca9c330cbcd7ab15bf3386b6a58d0595dd3030e6
                                                        • Instruction Fuzzy Hash: B7F0E23220D3805FDB228E66AC90BA5BFB4AF93250F0D40E7D444CB1C3C6288804CB71
                                                        Function 07149E51 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1bdbcc11d2558fc10b0e56ff2aad3f8b6808fc37ae00dd5bb88fd02afcede4a1
                                                        • Instruction ID: c776b8389185dca5c6c3523f44ef40fb7dba70753088b28af265f0ce6d5a46c3
                                                        • Opcode Fuzzy Hash: 1bdbcc11d2558fc10b0e56ff2aad3f8b6808fc37ae00dd5bb88fd02afcede4a1
                                                        • Instruction Fuzzy Hash: C3F0BB71818B4586C321AE78AC150ABFBB4EF962117008B5FE4C876911DF60A5C487D2
                                                        Function 0380604F Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43e15447a4add291323dd07c8d4d25bfca9192d80897836c4708efe9f6707bb0
                                                        • Instruction ID: 53bb5a529e9d8b01a31ef98657cbabb027b7a9e2c57ce128c3d0b63855f6ff25
                                                        • Opcode Fuzzy Hash: 43e15447a4add291323dd07c8d4d25bfca9192d80897836c4708efe9f6707bb0
                                                        • Instruction Fuzzy Hash: FAF03AB17007058FD720DFA9E880B1AB3E6FF98714F148AADD6468B794DB75F8058B84
                                                        Function 0380746C Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 23a897d6921b2b114d93596fec8e2db44db65a38371493b8ffc40fc3de99ce88
                                                        • Instruction ID: abc4b5a54c2bcc29db93abb6834154abea3cd26194fe69a6ee6333e59bb290d7
                                                        • Opcode Fuzzy Hash: 23a897d6921b2b114d93596fec8e2db44db65a38371493b8ffc40fc3de99ce88
                                                        • Instruction Fuzzy Hash: FDF02B71E04159CFCB00CFE9DC804FEBBB4FB81211B004297E251D71A5D774AA25CB92
                                                        Function 11C95038 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fccbd122b48c5f47d524d973d7e9bfc50f7ef2ce57f52d3c900691a6ec5d43e6
                                                        • Instruction ID: 063ce85f0f2788dd9ca8f2ec34531d2a4109074216af9a234db3679f549410f0
                                                        • Opcode Fuzzy Hash: fccbd122b48c5f47d524d973d7e9bfc50f7ef2ce57f52d3c900691a6ec5d43e6
                                                        • Instruction Fuzzy Hash: 82E0D82330865AA7D71555AB3C5092BEA5EFBD5970718813BF148C7280DD11EC0143F1
                                                        Function 07145470 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6f6eb7757d364b57fba031f12df6a5865896bea9bba9973fb6839c6ceab70e37
                                                        • Instruction ID: 44c41dabe32fd923bf434660dc42b334ef8c8bc4e267af31fd19a4cc95534a3d
                                                        • Opcode Fuzzy Hash: 6f6eb7757d364b57fba031f12df6a5865896bea9bba9973fb6839c6ceab70e37
                                                        • Instruction Fuzzy Hash: 29F0C4B0D0131ACFCB58AF74C4192AE7BF6EB49205F60486AD416E7340EB799941CF90
                                                        Function 03803750 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 434673c339eca581197630725a289c233cbbc014c8d3f01a306e282c196e1816
                                                        • Instruction ID: 7ebfbb87bdf12f88e7cffa75f305d08ebc1001125a32c33339424a653b4c8312
                                                        • Opcode Fuzzy Hash: 434673c339eca581197630725a289c233cbbc014c8d3f01a306e282c196e1816
                                                        • Instruction Fuzzy Hash: 62F06D70D04149EFCB40EFB8E89169CBFB2FF46305F1089AAC504A7255DB341E05CB46
                                                        Function 11C912B8 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cbb9906759fce04e51411d5af53ffa4552177bfda3f25c93cccfcbed33c09318
                                                        • Instruction ID: e6f1d184791ab8b9c1b7e8893cd2fe1e79d9aa1ea82ccd51e6feee4d413f2277
                                                        • Opcode Fuzzy Hash: cbb9906759fce04e51411d5af53ffa4552177bfda3f25c93cccfcbed33c09318
                                                        • Instruction Fuzzy Hash: 4AF0553920030ACBD7129A1AD81195B3BA9EF8A320F11406DE91553394DF719C028AD1
                                                        Function 11C92CA8 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8be1e9aaf32b53d3218a24ac1135e43cd4307a0ae976d39e267c3fdaa7d1e2f0
                                                        • Instruction ID: 1e813e87a8b8a1ebfab48586b0ace839e74e0a831df8829c83b679e99512f1b4
                                                        • Opcode Fuzzy Hash: 8be1e9aaf32b53d3218a24ac1135e43cd4307a0ae976d39e267c3fdaa7d1e2f0
                                                        • Instruction Fuzzy Hash: 95F05E32D44299CFDB60DFA995057AEFFF2AF04300F004069C599E3640E778561ACBC1
                                                        Function 11C962B8 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0eef1f972ccf32145fb99b1f6480d5890cb4c9e5593bee128993884e85a59907
                                                        • Instruction ID: 03849b34e28ab19c50b21cccb411f3af7572fd82a19eeb2a2b47cf2b48fd0f4e
                                                        • Opcode Fuzzy Hash: 0eef1f972ccf32145fb99b1f6480d5890cb4c9e5593bee128993884e85a59907
                                                        • Instruction Fuzzy Hash: 8FF0BE34448BC5CFE3328B24C1547117FE2AF06714F8409EEC0CA4FAA2C779A88AC301
                                                        Function 03805BE0 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc2ba9bebfe82b2ee8d0a95357da003e2137da772ec79411f4fb8fd8de5bfde8
                                                        • Instruction ID: b79cce8caf41da0068a77431033e1b3a6f0432f2e379ea3df789a7b1600f71d1
                                                        • Opcode Fuzzy Hash: cc2ba9bebfe82b2ee8d0a95357da003e2137da772ec79411f4fb8fd8de5bfde8
                                                        • Instruction Fuzzy Hash: 65F0EC715082424FC301D768F450258F7E3FFC5720F5586A6C3044B6E9DB645C058796
                                                        Function 07149351 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cc017ec20f0f310f20e40b5aeeb1e3f01549b2b38ee77ae09d5a5346c6b8775
                                                        • Instruction ID: d61fbdee213c8b90a1d26496c0fbde26bdaba9f5e87fe5086f3b2ff9a4034650
                                                        • Opcode Fuzzy Hash: 4cc017ec20f0f310f20e40b5aeeb1e3f01549b2b38ee77ae09d5a5346c6b8775
                                                        • Instruction Fuzzy Hash: 3EE04F227052D12FC717162D741DCAF3FBADEC666135500AAE046DB282CE180CC6C366
                                                        Function 07145360 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 542cd71efca369da5e3e037803164f793c92e73310443f4892b5ffa80af647c5
                                                        • Instruction ID: bc42ff4de07807ca6a24c3870604b11d2bf2260cdaefef01c0af2ba922f40db0
                                                        • Opcode Fuzzy Hash: 542cd71efca369da5e3e037803164f793c92e73310443f4892b5ffa80af647c5
                                                        • Instruction Fuzzy Hash: A0E0DF3A905348EFCB01DFB4F8024EEBBB5EB01120740419AD408EB681DA301F84DBE2
                                                        Function 11C932CF Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a91acc1c4ed56cf6128afb7555bddadac62b00b80198c9b299cad34d9c0d05f0
                                                        • Instruction ID: f8267847cb1f1a2137e403755ece8fd456e4c051b505d8717aca682434fef3bc
                                                        • Opcode Fuzzy Hash: a91acc1c4ed56cf6128afb7555bddadac62b00b80198c9b299cad34d9c0d05f0
                                                        • Instruction Fuzzy Hash: A6E0C2237496A117C326112A9C11A9F3B998FC2B60B0600F6E60CDF2A3CC494D0B87E5
                                                        Function 03808023 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 68c5d9eff9c17628389655aa96dfdb0d38eb861b3b9e0df7405401c8794a6f67
                                                        • Instruction ID: c71575b054efb97fae9df03acf02e414428cef1fbae766691d26d3f2818171a0
                                                        • Opcode Fuzzy Hash: 68c5d9eff9c17628389655aa96dfdb0d38eb861b3b9e0df7405401c8794a6f67
                                                        • Instruction Fuzzy Hash: D3F03071E002199FCB80EFBDDD411AEBBF8EF89250B1005A9C55AE7391E7305A10CB95
                                                        Function 071456F0 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e7e98678dc49450442d85aaeb809ea17c1089def9640d47d30eaa2244253be88
                                                        • Instruction ID: be2e48fc54446d7f8e12291aad3c31e10dc0927bb57ed4d9321bae4c67622c70
                                                        • Opcode Fuzzy Hash: e7e98678dc49450442d85aaeb809ea17c1089def9640d47d30eaa2244253be88
                                                        • Instruction Fuzzy Hash: A5F06571D1021DABCB249B65D8088EE7AFBBB49340F81047AE403A3390EF7559548FA1
                                                        Function 11C92368 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 232b5cfa2c8a78160e47787597055e7bba0deb761313919c9e76523323313b7a
                                                        • Instruction ID: ac00f66808d08946934d58813a6d66679701c369349c5971f2fe571281d9db85
                                                        • Opcode Fuzzy Hash: 232b5cfa2c8a78160e47787597055e7bba0deb761313919c9e76523323313b7a
                                                        • Instruction Fuzzy Hash: 43E0D8332002189BCB011A8DD814B9FBBAEDBCA650F54802AFC5983200CB718C1397A0
                                                        Function 038037C0 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5d1fdcd119dbd82f63d9dab3aae0ad311a53d7f27b37a7506bd95ad380036ac0
                                                        • Instruction ID: a64792bf3a91b31484c79a18e5829e07a8c9daa4f69e3b3198b98844951104d1
                                                        • Opcode Fuzzy Hash: 5d1fdcd119dbd82f63d9dab3aae0ad311a53d7f27b37a7506bd95ad380036ac0
                                                        • Instruction Fuzzy Hash: 9FE02B76805114CFCB957B78E8993783F71FB55245F0445D5D042C6289D7784015C713
                                                        Function 03803760 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7a724f87e1db3845cbae166b926d556023a1aea17ee4ba5b9ea095ca0d2c2104
                                                        • Instruction ID: a9f1aecb96b71c3ea7217f8861d3ec9483136c4293e052519a7dbe519fe95ab9
                                                        • Opcode Fuzzy Hash: 7a724f87e1db3845cbae166b926d556023a1aea17ee4ba5b9ea095ca0d2c2104
                                                        • Instruction Fuzzy Hash: 63F01C70E0010DEFCB40EFB8E95059DBBB1FB85300F6089AAC609A7250EB306F05DB86
                                                        Function 11C95447 Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e83cbec53b7ea0b59a41cf0766eaa6cd285496b2a3d1dd052a0237427f635a1
                                                        • Instruction ID: 7eca53bb129a406475f55a0fd9c1b94e40b73f2c29df627e45b3293a532ee232
                                                        • Opcode Fuzzy Hash: 9e83cbec53b7ea0b59a41cf0766eaa6cd285496b2a3d1dd052a0237427f635a1
                                                        • Instruction Fuzzy Hash: A0F03972E0428EDFCF21DA90D8943CEBBB0AF2122AF24206FC041A2091C7B054C9CF12
                                                        Function 11C912C8 Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e846d1a3d6d04addf46e504eab46038e494d716570aaab49d71b9f0bf0f0a4bf
                                                        • Instruction ID: 1ed19696a566bea16e91077c556c2cd956309f48ca95b60fb98442e3f3a25570
                                                        • Opcode Fuzzy Hash: e846d1a3d6d04addf46e504eab46038e494d716570aaab49d71b9f0bf0f0a4bf
                                                        • Instruction Fuzzy Hash: 1EE0C639200308C7C720DB17C80489A7BBEEBC8330F10803DD80863388EEB62C0087C0
                                                        Function 07149E60 Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af03bc4cd1d3b81b3566dc8707b5fda9d30768b1c9077d51198a663dfdf7de22
                                                        • Instruction ID: 8b98b79c831ba85454811580cf9d925c37b56bdb6d8e3a77200ad85b28f345ac
                                                        • Opcode Fuzzy Hash: af03bc4cd1d3b81b3566dc8707b5fda9d30768b1c9077d51198a663dfdf7de22
                                                        • Instruction Fuzzy Hash: A0E06571C24B19C2C7206E7CD8110ABF7B4EFD5251B008F2EE4C922910EF70A5C487C1
                                                        Function 11C93309 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f5ce658367693df8a3dba9435403258c8b3dbdab8b80956cab0aeedd7f4bf94
                                                        • Instruction ID: 1b7b983b6efe01ac9e3d01b2601a3f77f8a49f87f0585154f21807ac23d70698
                                                        • Opcode Fuzzy Hash: 1f5ce658367693df8a3dba9435403258c8b3dbdab8b80956cab0aeedd7f4bf94
                                                        • Instruction Fuzzy Hash: 8AE02B323092905BC716D5EE6880054BBF65EC652130601ABD948DB29BC810CC054399
                                                        Function 0714FB88 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1dddd5ef77a69341b81ec2cc190727d631ad3e86e559be3b76ea639f9482e13e
                                                        • Instruction ID: 74b6321bd7e8998b45e3f62c645a94d9c3059510758c6f73696fc2f2c5c12cd6
                                                        • Opcode Fuzzy Hash: 1dddd5ef77a69341b81ec2cc190727d631ad3e86e559be3b76ea639f9482e13e
                                                        • Instruction Fuzzy Hash: 6AE09A30909388EFCB01EF68E95184D7FF9EF02100B4984DAE648D7252DA352F04D7A2
                                                        Function 07141480 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11a9a6c1ca0046289b44cbc9e8db71ab730bf4079a71b7270e93f89fdad38f58
                                                        • Instruction ID: b717304a3139857afea6a51e5bf51bbceb4a2e33f947bad2275a7b1674ec0b7e
                                                        • Opcode Fuzzy Hash: 11a9a6c1ca0046289b44cbc9e8db71ab730bf4079a71b7270e93f89fdad38f58
                                                        • Instruction Fuzzy Hash: 3BE0127060120DEFC740EFA8F94585D77B9FF852047148559E609D7250DB356E50EB91
                                                        Function 07145132 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b0839b6d97eb40fbc09e9f780a13b1775ba9819627646547744739b353377766
                                                        • Instruction ID: 203744c4dd65f710dff01fbea4e9332ea70dda1426422ed7e0d62f70f99ec05a
                                                        • Opcode Fuzzy Hash: b0839b6d97eb40fbc09e9f780a13b1775ba9819627646547744739b353377766
                                                        • Instruction Fuzzy Hash: F4E0C27D900248FBCB00DFB4FA024EDB7B9FB40214B204099D908E7A40EE301E40E7D2
                                                        Function 11C92C69 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c81d0410185e752f2bc511350ccd425a8a5f824f7adb4ff69512904941d9c26
                                                        • Instruction ID: 75537b12982835e52a06f4b7dce5f714a8e8ec21444afe7fc47532faa1e86ca8
                                                        • Opcode Fuzzy Hash: 2c81d0410185e752f2bc511350ccd425a8a5f824f7adb4ff69512904941d9c26
                                                        • Instruction Fuzzy Hash: D1D05B313093618FC7079B5CD0045D43F649F4A66074500EBE804CF373C5558C4183D2
                                                        Function 071457ED Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5613c49efbe70a84134d6d089a14b017cb1d86d1c05b5688a0cc5b3dde3ca556
                                                        • Instruction ID: 17399b0b7ac5189c86955289d5139304b8798af3fd07ce7090ff7fe460e0b1a3
                                                        • Opcode Fuzzy Hash: 5613c49efbe70a84134d6d089a14b017cb1d86d1c05b5688a0cc5b3dde3ca556
                                                        • Instruction Fuzzy Hash: 63F0C9B4D14238CBCB299F1998452DCFAF6BB9DB00F4141DAE14AA6280CBB40F94CFC5
                                                        Function 11C91E78 Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da9eee4739cf3d669d2b0e74ec16d3f4dd464f5e9afbbda18f1b9aaa30b104ef
                                                        • Instruction ID: a73a2ee38030429f869d290c3ab233801205eee2988aca9625956a62c67bc2fa
                                                        • Opcode Fuzzy Hash: da9eee4739cf3d669d2b0e74ec16d3f4dd464f5e9afbbda18f1b9aaa30b104ef
                                                        • Instruction Fuzzy Hash: 02D0C972441228AFD71099A1AD49BA3BB5CEB066A1F020451FC08D2006D72048138AF0
                                                        Function 03803240 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3b58c227ac5534d8b90d0bd23916ac0ad4ef736182c202f982e0fe53cbee3386
                                                        • Instruction ID: e26947ac6290105992233a999b2970d34e0845d0df0ec28ee526eb710d61cc1d
                                                        • Opcode Fuzzy Hash: 3b58c227ac5534d8b90d0bd23916ac0ad4ef736182c202f982e0fe53cbee3386
                                                        • Instruction Fuzzy Hash: D0D01771A0024DEFCB04EFA8ED4085DB7B9FB44244B5086A9D909D3300EA326F10AB91
                                                        Function 03807B50 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a6fca95e584a7fdd1ba6154bebfa568107bd596d8fa7f5c3dc0f9c785ff90cb
                                                        • Instruction ID: d36a903026c847ad0461ad602ab0773f977520f8547711dbb756d6228b491aac
                                                        • Opcode Fuzzy Hash: 8a6fca95e584a7fdd1ba6154bebfa568107bd596d8fa7f5c3dc0f9c785ff90cb
                                                        • Instruction Fuzzy Hash: DAD05B361051506FCF138F58C854EC93FB5DFC9210B08C0BAEC0A8B317D9744515EB80
                                                        Function 03806DE0 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c4af1d2b0abc5a2035f60d52d9a7da1ac2539a2434497e776146d44dab1229bd
                                                        • Instruction ID: 54f94ae2842417d417d24b42e79bbc1cf8e50592e3abe024afbd4afc1e86a6bf
                                                        • Opcode Fuzzy Hash: c4af1d2b0abc5a2035f60d52d9a7da1ac2539a2434497e776146d44dab1229bd
                                                        • Instruction Fuzzy Hash: FED05E3110D3959FC7526B78A9540463FB8EA0711130900F7E584D7353DE7AAC01C791
                                                        Function 071497A8 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9660f22ae37fe73eb4b9307897f67c5dd79c2fb83e6c320e3eadc1cf100267ab
                                                        • Instruction ID: c050f2d9b7c591c86f7e637fd6e143c847a47714dea9c8999560299149d471e2
                                                        • Opcode Fuzzy Hash: 9660f22ae37fe73eb4b9307897f67c5dd79c2fb83e6c320e3eadc1cf100267ab
                                                        • Instruction Fuzzy Hash: 18D05B70D0120CEFC700DFA8E91145DB7B9FF44204B5084A9D509D7240EA315F40D785
                                                        Function 07145370 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5cbfeddf5a7985af924272a6eb2f7976b9370bc7c0a0296238e6b35a2e742fcc
                                                        • Instruction ID: 2ef5ad7d4491de27527f0ddb1f1e210e1728a7ef4db0431fc9a19c1a2c6becff
                                                        • Opcode Fuzzy Hash: 5cbfeddf5a7985af924272a6eb2f7976b9370bc7c0a0296238e6b35a2e742fcc
                                                        • Instruction Fuzzy Hash: A4D05E70A0120CEFCB00EFA8E90146DB7FAFB44204B9044ADD909E7380EA316F10EB91
                                                        Function 07145138 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 94cc60bfd7881bfb382e5561f00582878d24f27e3fdc89f963af3629369b8ea8
                                                        • Instruction ID: ccb340731becd453162cd59859bf22a46107840092b1f755871245c1a0924eff
                                                        • Opcode Fuzzy Hash: 94cc60bfd7881bfb382e5561f00582878d24f27e3fdc89f963af3629369b8ea8
                                                        • Instruction Fuzzy Hash: 56D05E74A1024CFFCB00DFA9FA1145DF7BAFB44204B2044A9DA08E7240EE316F00EB82
                                                        Function 0714FB98 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 004c4aed4039a59f0bc2519d6b8f5eea7e38b5fe6ff8873e3228998e08630c5b
                                                        • Instruction ID: c451905664b4bb0c05110e0c2a9aad94e8fff7abc6cfcad90462259ee58545ea
                                                        • Opcode Fuzzy Hash: 004c4aed4039a59f0bc2519d6b8f5eea7e38b5fe6ff8873e3228998e08630c5b
                                                        • Instruction Fuzzy Hash: E2D01730A0020CEFCB00EFA8E90055DB7B9FB44241B5084A9D608D3200EB326F009B95
                                                        Function 11C92C78 Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 35800c0a5fd67211cb7f8ab57339db263fc2f9b214dd5789ea06d77e07db1282
                                                        • Instruction ID: ae61163a0847585ca325a82c31a7736fb68a52c9e88e55618f937491baa42a80
                                                        • Opcode Fuzzy Hash: 35800c0a5fd67211cb7f8ab57339db263fc2f9b214dd5789ea06d77e07db1282
                                                        • Instruction Fuzzy Hash: B4C012323001258BC6085E5CD400959739D9B89B24B0100A6E509CB761C996EC4187D4
                                                        Function 11C943A0 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b384c85821782cc1293ad8f8b22c5bc430b530ad719d70b6ef2f1489d3c4ac1c
                                                        • Instruction ID: 91be824d197f2f18c70c14e36e3e2da6c4e545d512c5431826f9925341aa40cf
                                                        • Opcode Fuzzy Hash: b384c85821782cc1293ad8f8b22c5bc430b530ad719d70b6ef2f1489d3c4ac1c
                                                        • Instruction Fuzzy Hash: 2CC08C770002209AC7304E21BD097C3BB79FF52620F020444F80493014D334480296B1
                                                        Function 038037D0 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5dfb32ca03f22a25cb4a7986f26f0fb12729f5e929ef4f55d04611260524a703
                                                        • Instruction ID: 1d3a43b08cee5ad3900dd84db83c54ac9cf3427486cb50ae6caac0305529315b
                                                        • Opcode Fuzzy Hash: 5dfb32ca03f22a25cb4a7986f26f0fb12729f5e929ef4f55d04611260524a703
                                                        • Instruction Fuzzy Hash: B8D01234500508CFCB887BBCF45D03C7FB9FB48205B0049A8E54642245DF75A428C75A
                                                        Function 03804FA0 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 134504e0e1d40dc7df3a664ffa238f2bdeca4a3d91b491edd8257909214526ae
                                                        • Instruction ID: 57a17db68d1261fcb08cb0a626a6156d2327432601f1ba5a3829a63d82eae8b7
                                                        • Opcode Fuzzy Hash: 134504e0e1d40dc7df3a664ffa238f2bdeca4a3d91b491edd8257909214526ae
                                                        • Instruction Fuzzy Hash: 5DD0A9B10093485FCB12EB38ECA47C93BB8FF92306F04418AC04A8B18AE67814118B92
                                                        Function 11C92CE2 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 82efca76f40ee5ed9d30064273e6cde82aee5b042585f61ac9c088f01149d0c1
                                                        • Instruction ID: 219952baa1c0381f3d8d6151655fb2296e4c066b79f80a0a7d039c08bb62cd47
                                                        • Opcode Fuzzy Hash: 82efca76f40ee5ed9d30064273e6cde82aee5b042585f61ac9c088f01149d0c1
                                                        • Instruction Fuzzy Hash: 26D0A735904144CFCB35D794E1097EEFFB1DF09300F004044D55A43241D7791A0EC792
                                                        Function 11C902CC Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7ca89aca4034b6dd743792d3511cc4de85387f90fcd0b3a8e208b56b63495501
                                                        • Instruction ID: e37f7fd90bad5706305765e9b1e6c85a183c963f1e64dd12bd95098106e5098f
                                                        • Opcode Fuzzy Hash: 7ca89aca4034b6dd743792d3511cc4de85387f90fcd0b3a8e208b56b63495501
                                                        • Instruction Fuzzy Hash: B6D092B4D5412CDBDB61DF1A9CA0BDDB7B9BB48700F5081EA910CA3344DE705E908F88
                                                        Function 03806DF0 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5f7eea70fedf809c9ebf031ff776e5f169c969ef0ec71a44f829aa41e0c5981
                                                        • Instruction ID: 7216ad185eec1a3cd154d569c228e321c86cc84f334400ad6341aedc3c039112
                                                        • Opcode Fuzzy Hash: d5f7eea70fedf809c9ebf031ff776e5f169c969ef0ec71a44f829aa41e0c5981
                                                        • Instruction Fuzzy Hash: BEC08C32600328DFC7456B78F5080867BECEB4A222300007AE609C3301EF7AAC01CBC0
                                                        Function 11C91C43 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c280373d1ed49c6cfa93600d03dc2cceb982489e4830eec06c76e30590302ed
                                                        • Instruction ID: f6cf7d757d19cfea67737467cfa22bd3cc320927d220b991d2c6325f79012221
                                                        • Opcode Fuzzy Hash: 2c280373d1ed49c6cfa93600d03dc2cceb982489e4830eec06c76e30590302ed
                                                        • Instruction Fuzzy Hash: 39D0C970A4014FCBEB608F01C89ABFEBBB1AB80754F1144ADD419E6641DF745A84EF40
                                                        Function 03804F78 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0a4b76b42d757d861ee3e77bbe011d6811a2cc07baa56862e5195cc9777c964
                                                        • Instruction ID: e5fb0c8602c224d041ee68e1b582dabef85471e287218f09c016c2e2923b4f7f
                                                        • Opcode Fuzzy Hash: a0a4b76b42d757d861ee3e77bbe011d6811a2cc07baa56862e5195cc9777c964
                                                        • Instruction Fuzzy Hash: 0CD052B000B6809FCB02C62AC98078ABFB8AF82300F0808EEC0814B063C22868148B92
                                                        Function 07145839 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7c6a72051d2bc5bd63f3c94ebb9cf1936042a581a4fcceec3665ae39910ff55b
                                                        • Instruction ID: 753ec1798505d281042e3e51f03984e199119fe9ed7127f839a413a8137593cd
                                                        • Opcode Fuzzy Hash: 7c6a72051d2bc5bd63f3c94ebb9cf1936042a581a4fcceec3665ae39910ff55b
                                                        • Instruction Fuzzy Hash: 67D017B4815698CFCB29CF10CD485E8BBB2BF86302F2141D8800A2B350C7348E84CF40
                                                        Function 03803730 Relevance: .0, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aaa831a6ffbc1627bd8e2f5a4032d3609707c6ec975496d7bb5af32d60d91d47
                                                        • Instruction ID: 60a82134112e48d15fefaed26d46a13b3dcd2e39304124f3b92a16b10d1ae43d
                                                        • Opcode Fuzzy Hash: aaa831a6ffbc1627bd8e2f5a4032d3609707c6ec975496d7bb5af32d60d91d47
                                                        • Instruction Fuzzy Hash: 88C02B310043408FCF019FF056442C037B0EB41370F0002F2C0068C08AC6280141CB00
                                                        Function 0380A8A3 Relevance: .0, Instructions: 8COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b8f987a44d440b1d9d7868fe3c687e611465833359f72b5dcefaee82c82fbf98
                                                        • Instruction ID: 2fabb9d7ccd43144bc24d36f6de1758751d4e2d34034e1ec5c2a909932e36b8a
                                                        • Opcode Fuzzy Hash: b8f987a44d440b1d9d7868fe3c687e611465833359f72b5dcefaee82c82fbf98
                                                        • Instruction Fuzzy Hash: E7C0923A48A3818FC323CBB898325D03FA06D1711238918DBC080AB2E2C12F9184EB85
                                                        Function 07140F92 Relevance: .0, Instructions: 8COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d3c7d2b9d9505a8b29bb426d36cefc5ab25c7b3fd7c28a495cde8bbfe710a17
                                                        • Instruction ID: f31c4ca2b675384753c64fe7a98b2decb194a298c7dc376e6996660fabd343ef
                                                        • Opcode Fuzzy Hash: 0d3c7d2b9d9505a8b29bb426d36cefc5ab25c7b3fd7c28a495cde8bbfe710a17
                                                        • Instruction Fuzzy Hash: 5FC04CB554F3C05FEB028721C9597017F31DF47705F1A40DA81448B1D7D2995858C762
                                                        Function 0714589B Relevance: .0, Instructions: 8COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 699dd99ff5326f18854c70885cb462046eb4879095a83afd50eeb2e4b7d24401
                                                        • Instruction ID: bc7d489c207a309fc4618467cef27b5dcd3dddb01426324fd9ea8687bd723272
                                                        • Opcode Fuzzy Hash: 699dd99ff5326f18854c70885cb462046eb4879095a83afd50eeb2e4b7d24401
                                                        • Instruction Fuzzy Hash: 94C04CB5D40734DBD7555F15649519CB972BB49711F8140EDD40AB7280CB350F80CF95
                                                        Function 11C97FD0 Relevance: .0, Instructions: 7COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2760566194.0000000011C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 11C90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_11c90000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e55853f4e39bd057c92742de5c3a8fd32f60b394987cf6d011ac55eae1409289
                                                        • Instruction ID: b073da6db71caf92f9b7176088bdb522f78cfade883fec9fbd621b45d965baa7
                                                        • Opcode Fuzzy Hash: e55853f4e39bd057c92742de5c3a8fd32f60b394987cf6d011ac55eae1409289
                                                        • Instruction Fuzzy Hash: A5C048383000008F8308CB08C994C10B7A2AB88214329C098A8098B366CB32EC03CA40
                                                        Function 03804FB0 Relevance: .0, Instructions: 7COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b0fe3f20e9d58abee827e0d4d5c2af29c201b51895ae87bb3b3cad63158217b7
                                                        • Instruction ID: 09bb616a049d12c30b651b39b213b9362b47f11ccd677e6283802ca95503fa5e
                                                        • Opcode Fuzzy Hash: b0fe3f20e9d58abee827e0d4d5c2af29c201b51895ae87bb3b3cad63158217b7
                                                        • Instruction Fuzzy Hash: A2B0127000870D4FC740BB54F40D454771DF5402047404513E20D060445D6C682046CB

                                                        Non-executed Functions

                                                        Function 110EDA30 Relevance: 27.0, APIs: 5, Strings: 10, Instructions: 737COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Null String,854D3E01,?,00000008), ref: 110EDAF5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Null String$amazon$ec2$hvm domu$hyper-v$innotek gmbh$virtual machine$virtualbox$vmware$xen
                                                        • API String ID: 0-2774770713
                                                        • Opcode ID: 7b8b7a187b29e1266837e7967932ed0dea7f1e78959a28d4f67014b34bc347fa
                                                        • Instruction ID: 70faae9d514d60a18b875b2032a6b3b3d300de08e07a5b016e5fc25be0409921
                                                        • Opcode Fuzzy Hash: 7b8b7a187b29e1266837e7967932ed0dea7f1e78959a28d4f67014b34bc347fa
                                                        • Instruction Fuzzy Hash: 7C520731D051AA8FDB11CF39C8587ECBBB1EB42324F1983D9C89967292D731AD86CB51
                                                        Function 0D686E00 Relevance: 5.6, Strings: 4, Instructions: 560COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ti(q$ti(q$ti(q$ti(q
                                                        • API String ID: 0-1097006870
                                                        • Opcode ID: 68f744513dfa1b2a4ea9418c847694482dc17a5c98d22446fc98c82ceaa77f90
                                                        • Instruction ID: 474fe4be84943d6e102f3ac2969ba967c3bf2287e03a1645d272a3e05084c0d9
                                                        • Opcode Fuzzy Hash: 68f744513dfa1b2a4ea9418c847694482dc17a5c98d22446fc98c82ceaa77f90
                                                        • Instruction Fuzzy Hash: D8020974B043416BC714FB79A45463EB69BBBC8500B688D2EE946D7381CE78EC0693E7
                                                        Function 110EEEC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 110EEF94
                                                          • Part of subcall function 110ED600: 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,854D3E01,?,00000008), ref: 110ED6B4
                                                          • Part of subcall function 110EE3F0: 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,854D3E01,?,00000008), ref: 110EE4B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Null String$vboxrev
                                                        • API String ID: 0-530560522
                                                        • Opcode ID: d80c90590000effb42cbcb0b448a1857cc6f793a03457d20240663678fd81ebe
                                                        • Instruction ID: 07afcccc0690f5b45dd55bdbf8d1b5dfd5b3ab7e85124ae3c740a4209ac497ab
                                                        • Opcode Fuzzy Hash: d80c90590000effb42cbcb0b448a1857cc6f793a03457d20240663678fd81ebe
                                                        • Instruction Fuzzy Hash: AE51E231D0A3D68FD712CF29841866ABFE1AFC6314F08098DF8D953242D735998A8783
                                                        Function 0380D311 Relevance: 4.3, Strings: 3, Instructions: 568COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p~p$[cn^$kcn^
                                                        • API String ID: 0-1354903595
                                                        • Opcode ID: 81176a325cd1f27827aa2f8421dbb7337716e14a2274dee41344ff0e7b60fddb
                                                        • Instruction ID: fb95f9d021a5b5ecf8f7f327529123af98271a1ae0f3286502cac7ff72fe9b90
                                                        • Opcode Fuzzy Hash: 81176a325cd1f27827aa2f8421dbb7337716e14a2274dee41344ff0e7b60fddb
                                                        • Instruction Fuzzy Hash: 32420771900218DFDB51DFA8DD40AEEBBB6FF89300F0049AAC109AB250EF755E949F91
                                                        Function 0380D320 Relevance: 4.3, Strings: 3, Instructions: 562COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p~p$[cn^$kcn^
                                                        • API String ID: 0-1354903595
                                                        • Opcode ID: 86dde87362f536380f5bdd1ebfdcf1cdc3003d07ddd0a7793277db1eed93eec9
                                                        • Instruction ID: afb871c777beaadff6b9fa8b8bf61b79b3ebea420e7404cf5f7e37180f114542
                                                        • Opcode Fuzzy Hash: 86dde87362f536380f5bdd1ebfdcf1cdc3003d07ddd0a7793277db1eed93eec9
                                                        • Instruction Fuzzy Hash: 53420771900218DFDB55DFA8DD40AEEBBB6FF89300F0049AAC109AB250EF755E949F91
                                                        Function 0380CB68 Relevance: 4.2, Strings: 3, Instructions: 433COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p~p$[dn^$kdn^
                                                        • API String ID: 0-1834319064
                                                        • Opcode ID: cd4b942b5d6bf0573e277397ef253a02c2921daa0170019fc45555b3200853bb
                                                        • Instruction ID: 3e50acd2e5f0f03f59148637f26374635a872ccdbf15429e77c22f1fa1623531
                                                        • Opcode Fuzzy Hash: cd4b942b5d6bf0573e277397ef253a02c2921daa0170019fc45555b3200853bb
                                                        • Instruction Fuzzy Hash: 9312F775D00218DFCB55DFA4D940AEEBBB6FF84300F0089AAC209AB250EF355E949F91
                                                        Function 0380CB78 Relevance: 4.2, Strings: 3, Instructions: 426COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p~p$[dn^$kdn^
                                                        • API String ID: 0-1834319064
                                                        • Opcode ID: 1be585ddcee0f448ba5c7b1d17cbc421dbbcefd8535d6639729b4012249b713b
                                                        • Instruction ID: f6e40f35613b7099b270fef67d438ab1d656616a9d01c983a6ef0fafa676718b
                                                        • Opcode Fuzzy Hash: 1be585ddcee0f448ba5c7b1d17cbc421dbbcefd8535d6639729b4012249b713b
                                                        • Instruction Fuzzy Hash: F312F875D00218DFCB55DFA5D940AEEBBB6FF84300F0089AAC209AB250EF355E949F95
                                                        Function 0714A859 Relevance: 4.2, Strings: 3, Instructions: 406COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2710470774.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7140000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $$F$G
                                                        • API String ID: 0-2960425559
                                                        • Opcode ID: cc91068d1388b9ddbcead48b3bbe5038638d21eefe4c517341687e41283db4f2
                                                        • Instruction ID: c95b2276bb9d1260f042eeb6e4f903e5ae85e333314d862f6d9e11309c98d7d0
                                                        • Opcode Fuzzy Hash: cc91068d1388b9ddbcead48b3bbe5038638d21eefe4c517341687e41283db4f2
                                                        • Instruction Fuzzy Hash: B0121AB1E0025ADFDB119F64D98479CBBB2BF89304F41C69AD20A7F291DB749A84CF41
                                                        Function 0D6838F0 Relevance: 2.4, Strings: 1, Instructions: 1170COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: =
                                                        • API String ID: 0-575803426
                                                        • Opcode ID: d386b7330f0f969ecaaa1b085c2f4097685e1522cf8473776f4574a335f39152
                                                        • Instruction ID: 6804074a6065449464471c984d0e6416fe2632d19ec6977688dfee58e52a72d6
                                                        • Opcode Fuzzy Hash: d386b7330f0f969ecaaa1b085c2f4097685e1522cf8473776f4574a335f39152
                                                        • Instruction Fuzzy Hash: 81C23771900218DFCB61EFA4D994AEDBBB6FF89300F0045EAD509AB250EB356E94CF51
                                                        Function 0D683920 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: =
                                                        • API String ID: 0-575803426
                                                        • Opcode ID: e374cdd2b1cba3e9b0ac5be60bedbe73783b74c2f63e74737d95b8913992ef9d
                                                        • Instruction ID: fb87acb3f9de5e4b650592c6e95c37bd18cbe12e81ac3032e9e1ba3e79774e97
                                                        • Opcode Fuzzy Hash: e374cdd2b1cba3e9b0ac5be60bedbe73783b74c2f63e74737d95b8913992ef9d
                                                        • Instruction Fuzzy Hash: 5DC22771900218DFCB61EFA4D984AEDBBB6FF88300F0045EAD509AB250EB356E94CF55
                                                        Function 0D68257B Relevance: 2.3, Strings: 1, Instructions: 1010COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p~p
                                                        • API String ID: 0-2034952871
                                                        • Opcode ID: 9024d76846d4e982e60ce6b35a2bdcd6b0f645bd0ee525855ee3e4869a36d194
                                                        • Instruction ID: f8f4567c7feb09924fd3faf0dc4bcfb21a47093cac5f0279f904cefb84e6525c
                                                        • Opcode Fuzzy Hash: 9024d76846d4e982e60ce6b35a2bdcd6b0f645bd0ee525855ee3e4869a36d194
                                                        • Instruction Fuzzy Hash: D4B212759002688FCB65DF64D944AEEBBB2FF89300F0045EAD509AB250EF356E94CF91
                                                        Function 0D6825BB Relevance: 2.2, Strings: 1, Instructions: 979COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p~p
                                                        • API String ID: 0-2034952871
                                                        • Opcode ID: 9085d99d9e98af92d62cca16ec1fd826faa6350458857901c571c6d96f90bd60
                                                        • Instruction ID: bf8f2aa8f75fac930b904058a98dba5db542ce8934f25ced96e15588dc60de58
                                                        • Opcode Fuzzy Hash: 9085d99d9e98af92d62cca16ec1fd826faa6350458857901c571c6d96f90bd60
                                                        • Instruction Fuzzy Hash: 9BA201759002288FCB65DF64D944AEEBBB2FF89300F0045EAD509AB250EF356E94DF91
                                                        Function 0D6825C8 Relevance: 2.2, Strings: 1, Instructions: 975COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2727072681.000000000D680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D680000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_d680000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p~p
                                                        • API String ID: 0-2034952871
                                                        • Opcode ID: b431dbf61a8fc1f47241541fb60c34d711ec64770157a1e2498a74d56810eb5d
                                                        • Instruction ID: 4ae2559030db3d1c0e96b8fe401a12e974ca475d3f023b20bdf6f47223f3a904
                                                        • Opcode Fuzzy Hash: b431dbf61a8fc1f47241541fb60c34d711ec64770157a1e2498a74d56810eb5d
                                                        • Instruction Fuzzy Hash: 1AA2F1759002288FCB65DF64D944AEEBBB2FF89300F0045EAD509AB250EF356E94DF91
                                                        Function 110F09B0 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Encrypt AES with default password, xrefs: 110F09E6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Encrypt AES with default password
                                                        • API String ID: 0-1330174511
                                                        • Opcode ID: 9383a0f7e2d8cce749a5bbdf31eae867c41c6dd62e645408efbc54f1bec5c8ef
                                                        • Instruction ID: b113fe3e0e094c7b4f5e5e6117cf7e5ec3e6eb77c577938af76d569292a0f8f8
                                                        • Opcode Fuzzy Hash: 9383a0f7e2d8cce749a5bbdf31eae867c41c6dd62e645408efbc54f1bec5c8ef
                                                        • Instruction Fuzzy Hash: 5211AC75A083069F8710DF2AC84294FBBE5FB89618F404A0DF8946B200D770EA14CBE6
                                                        Function 0380DDD7 Relevance: .4, Instructions: 373COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5698d75960f4231dca5c7bf254bb688685b9ab1d5779a293dd745858281da289
                                                        • Instruction ID: 7f7e86a40feacbf878099c8b5aa23a23bc5938d03472e83eaae01600899733eb
                                                        • Opcode Fuzzy Hash: 5698d75960f4231dca5c7bf254bb688685b9ab1d5779a293dd745858281da289
                                                        • Instruction Fuzzy Hash: 87020575D00218DFCB55DFA4D944AEDBBB6FF85300F0089AAC209AB250EF355E949F92
                                                        Function 0380DDE8 Relevance: .4, Instructions: 368COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2671501834.0000000003800000.00000040.00000800.00020000.00000000.sdmp, Offset: 03800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_3800000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25ab07baed6e2a4c13eb5c958b4bb9f542d69121e8c7550b32ea6984d7dfcff6
                                                        • Instruction ID: 2432877633ed2c9c227c98187adcbdb7614d2eae7acb91d79c59eed1e616c663
                                                        • Opcode Fuzzy Hash: 25ab07baed6e2a4c13eb5c958b4bb9f542d69121e8c7550b32ea6984d7dfcff6
                                                        • Instruction Fuzzy Hash: 5802F575D00218DFCB55DFA4D940AEDBBB6FF85300F0089AAC209AB250EF355E949F92
                                                        Function 110F05C0 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67e263be105566f4df38009df09ce64dcc4ce68e50f7854bc991762bfc3dca62
                                                        • Instruction ID: 65a59cb830f7cd16208f90cb1113d9a6a249eeaf4c7156cd87e94fbb89b1b39e
                                                        • Opcode Fuzzy Hash: 67e263be105566f4df38009df09ce64dcc4ce68e50f7854bc991762bfc3dca62
                                                        • Instruction Fuzzy Hash: B241D5B2908204EFE705EF19DC51BAEBBF5EF85720F15452EE98593340E7326904CB92
                                                        Function 110EE3F0 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 459COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,854D3E01,?,00000008), ref: 110EE4B8
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,ec2,?,amazon,?,Null String,854D3E01,?,00000008), ref: 110EE5B4
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,Null String,ec2,?,amazon,?,Null String,854D3E01,?,00000008), ref: 110EE708
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Null String,hyper-v,?,Null String,Null String,ec2,?,amazon,?,Null String,854D3E01,?,00000008), ref: 110EE7E8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Null String$amazon$ec2$hyper-v$virtual machine
                                                        • API String ID: 0-3055017615
                                                        • Opcode ID: 28b7e7a578df5073c9ba172d20be37ffb0bc0044d92169a8f48ab21a898cba87
                                                        • Instruction ID: 6585b2db2ad73bc34770566a6b3f368b80871a339611dc941fabe423552d738e
                                                        • Opcode Fuzzy Hash: 28b7e7a578df5073c9ba172d20be37ffb0bc0044d92169a8f48ab21a898cba87
                                                        • Instruction Fuzzy Hash: 65021331C052A98FDB11CB39C8587ACBBF1AF46314F1582D9C8D9A7292EB31AD85CF51
                                                        Function 110ED600 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 353COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,854D3E01,?,00000008), ref: 110ED6B4
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Null String,ec2,?,amazon,xen,Null String,854D3E01,?,00000008), ref: 110ED8A4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Null String$amazon$ec2$hyper-v$innotek gmbh$virtualbox$xen
                                                        • API String ID: 0-653037558
                                                        • Opcode ID: ddc9140253bb93a5b9d9cecfd8908e1f4dad861f4a593a7509320930e53dc370
                                                        • Instruction ID: 546c03f654c42cdf65ac553f6651445161d279143f19ade81ad6a8ac8dbeb016
                                                        • Opcode Fuzzy Hash: ddc9140253bb93a5b9d9cecfd8908e1f4dad861f4a593a7509320930e53dc370
                                                        • Instruction Fuzzy Hash: 1DD10531D061968FDB11CF3DC8586ACBBF2FB42324F158399C8E9AB295D731A946CB50
                                                        Function 110EE9E0 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 390COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,854D3E01,?,00000008), ref: 110EEAA4
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(?,Null String,ec2,?,amazon,xen,Null String,854D3E01,?,00000008), ref: 110EECA4
                                                        • 752E3E90.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Null String,hyper-v,?,Null String,ec2,?,amazon,xen,Null String,854D3E01,?,00000008), ref: 110EED7A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2743080002.00000000110E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 110E0000, based on PE: true
                                                        • Associated: 00000000.00000002.2743049912.00000000110E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743249072.00000000110F7000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743276389.00000000110F8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743311041.00000000110FA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743344248.00000000110FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.00000000110FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743374402.0000000011100000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743438568.0000000011101000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743469910.0000000011102000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011103000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.000000001125D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112A9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112BF000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112D5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112E9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.00000000112ED000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011318000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2743523086.0000000011349000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                        • Associated: 00000000.00000002.2753452931.000000001167B000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_110e0000_CEFA-FAS_LicMgr.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Null String$amazon$ec2$hyper-v$xen
                                                        • API String ID: 0-3820432342
                                                        • Opcode ID: 9abb947ef9603b7fceb4dbdd9367ab7bc35008e349a7f6b96bb4a070de811207
                                                        • Instruction ID: 3e6ea1249f99a179b5588c8225a14d22ad5c745cf191c6fcc655d2e3cb39e9e7
                                                        • Opcode Fuzzy Hash: 9abb947ef9603b7fceb4dbdd9367ab7bc35008e349a7f6b96bb4a070de811207
                                                        • Instruction Fuzzy Hash: CFE13731D052AD8FDB11CF39C8587EDBBB1AF42314F1482D9C89AA7291DB31AD86CB51

                                                        Execution Graph

                                                        Execution Coverage:5.7%
                                                        Dynamic/Decrypted Code Coverage:4.3%
                                                        Signature Coverage:3.5%
                                                        Total number of Nodes:2000
                                                        Total number of Limit Nodes:88
                                                        execution_graph 49904 2be949e 49905 2be94ad 49904->49905 49916 2be4510 49905->49916 49907 2be94b3 49908 2be94be GetModuleHandleA 49907->49908 49909 2be94cd 49907->49909 49908->49909 49910 2be950c 49908->49910 49928 2be40e0 49909->49928 49940 2c13730 29 API calls 49910->49940 49912 2be94ef 49912->49910 49939 2be7740 37 API calls 49912->49939 49914 2be96fd 49917 2be4536 49916->49917 49919 2be4578 49916->49919 49917->49907 49920 2be45c9 49919->49920 49941 2c41fa5 15 API calls 49919->49941 49921 2be460b 49920->49921 49922 2be4656 49920->49922 49942 2bee270 49921->49942 49955 2be42a0 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 49922->49955 49925 2be4629 49954 2be4400 SetLastError RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 49925->49954 49927 2be4651 49927->49907 49959 2c0d8e0 49928->49959 49930 2be418f 49931 2be41a2 49930->49931 49964 2c0d910 RtlLeaveCriticalSection 49930->49964 49931->49912 49932 2be410a 49932->49930 49934 2be4141 49932->49934 49935 2be4153 49934->49935 49962 2be7740 37 API calls 49934->49962 49937 2be417b 49935->49937 49963 2c0d910 RtlLeaveCriticalSection 49935->49963 49937->49912 49939->49910 49940->49914 49941->49919 49943 2bee29a 49942->49943 49945 2bee2b2 49942->49945 49943->49925 49944 2bee2b8 49944->49925 49945->49944 49946 2bee31a 49945->49946 49952 2bee358 49945->49952 49956 2bf06d0 20 API calls 49946->49956 49950 2bee413 49953 2bee46d ctype 49950->49953 49958 2c02920 GetCurrentDirectoryA 49950->49958 49951 2bee34c 49951->49952 49952->49950 49952->49953 49957 2c023c0 50 API calls 49952->49957 49953->49925 49954->49927 49955->49927 49956->49951 49957->49950 49958->49953 49960 2c0d8f8 RtlEnterCriticalSection 49959->49960 49961 2c0d8e8 RtlInitializeCriticalSection 49959->49961 49960->49932 49961->49960 49962->49935 49963->49937 49964->49931 49965 2c0d800 GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 49968 2bedc80 49965->49968 49969 2bedc91 GetCurrentThreadId 49968->49969 49970 2c019e0 49981 2bfcc90 49970->49981 49973 2c01a27 49984 2bfccc0 7 API calls 49973->49984 49974 2c01a1e GetFileType 49976 2c01a2c 49974->49976 49977 2c01a4f 49976->49977 49985 2bf3010 49976->49985 49979 2c01a67 49977->49979 49988 2bfccc0 7 API calls 49977->49988 49989 2bfcb10 49981->49989 49983 2bfcca7 49983->49973 49983->49974 49984->49976 50000 2bf2da0 49985->50000 49988->49979 49990 2bfcc7b 49989->49990 49991 2bfcb20 49989->49991 49990->49983 49991->49990 49992 2bfcb3a GetLastError 49991->49992 49993 2bfcb4a RtlEnterCriticalSection 49992->49993 49994 2bfcb66 49993->49994 49994->49993 49995 2bfcc43 RtlLeaveCriticalSection 49994->49995 49996 2bfcbf4 GetCurrentThreadId 49994->49996 49997 2bfcc03 GetCurrentThreadId 49994->49997 49999 2bfcc5a Sleep 49994->49999 49995->49994 49998 2bfcc66 SetLastError 49995->49998 49996->49994 49997->49994 49998->49983 49999->49993 50001 2bf2daa 50000->50001 50011 2bf2dc1 50000->50011 50015 2bf2960 21 API calls 50001->50015 50003 2bf2db0 50004 2bf2fdb 50003->50004 50003->50011 50004->49977 50005 2bf2e7a InterlockedIncrement 50006 2bf2e88 InterlockedDecrement Sleep InterlockedIncrement 50005->50006 50007 2bf2ea5 InterlockedExchangeAdd 50005->50007 50006->50006 50006->50007 50008 2bf2ecc GetCurrentThreadId 50007->50008 50009 2bf2eba InterlockedDecrement 50007->50009 50010 2bf2fcc InterlockedDecrement 50008->50010 50014 2bf2ef5 50008->50014 50016 2bf2bd0 14 API calls 50009->50016 50010->50004 50011->50005 50013 2bf2eca 50013->50005 50014->50010 50015->50003 50016->50013 50017 2c11b80 50018 2c11b8c SetFilePointer 50017->50018 50019 2c11b9e 50017->50019 50018->50019 50020 2c06fe2 50021 2c07045 RtlAllocateHeap 50020->50021 50022 2c06fff HeapCreate 50020->50022 50023 2c07060 50021->50023 50024 2c0708b 50021->50024 50029 2c0701a 50022->50029 50037 2c2b510 TlsAlloc TlsAlloc TlsSetValue WideCharToMultiByte 50023->50037 50040 2c0cab0 50024->50040 50027 2c0706a 50038 2c2b510 TlsAlloc TlsAlloc TlsSetValue WideCharToMultiByte 50027->50038 50032 2c07034 50029->50032 50036 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 50029->50036 50032->50021 50033 2c07078 50039 2c06ef0 8 API calls 50033->50039 50035 2c07081 ExitProcess 50036->50032 50037->50027 50038->50033 50039->50035 50041 2c0cab9 50040->50041 50042 2c07093 50040->50042 50041->50042 50043 2c0d8e0 2 API calls 50041->50043 50044 2c0cac9 50043->50044 50046 2c0d910 RtlLeaveCriticalSection 50044->50046 50046->50042 50047 2c07105 RtlSizeHeap 50048 2c0cab0 3 API calls 50047->50048 50049 2c0711e RtlFreeHeap 50048->50049 50050 2c41502 GetVersion 50071 2c43cf3 HeapCreate 50050->50071 50052 2c41560 50053 2c41565 50052->50053 50054 2c4156d 50052->50054 50146 2c41606 8 API calls 50053->50146 50083 2c439d3 50054->50083 50058 2c41576 GetCommandLineA 50097 2c438a1 50058->50097 50062 2c41590 50129 2c4359b 50062->50129 50064 2c41595 50142 2c4aa10 GetModuleHandleA 50064->50142 50068 2c415c2 50148 2c43417 UnhandledExceptionFilter 50068->50148 50070 2c415d3 50072 2c43d13 50071->50072 50073 2c43d49 50071->50073 50149 2c43bab 19 API calls 50072->50149 50073->50052 50075 2c43d18 50076 2c43d22 50075->50076 50077 2c43d2f 50075->50077 50150 2c45173 RtlAllocateHeap 50076->50150 50079 2c43d4c 50077->50079 50151 2c45cba RtlAllocateHeap VirtualAlloc VirtualAlloc VirtualFree HeapFree 50077->50151 50079->50052 50080 2c43d2c 50080->50079 50082 2c43d3d HeapDestroy 50080->50082 50082->50073 50152 2c41e0f 50083->50152 50086 2c439f2 GetStartupInfoA 50093 2c43b03 50086->50093 50096 2c43a3e 50086->50096 50089 2c43b2a GetStdHandle 50092 2c43b38 GetFileType 50089->50092 50089->50093 50090 2c43b6a SetHandleCount 50090->50058 50091 2c41e0f 12 API calls 50091->50096 50092->50093 50093->50089 50093->50090 50094 2c43aaf 50094->50093 50095 2c43ad1 GetFileType 50094->50095 50095->50094 50096->50091 50096->50093 50096->50094 50098 2c438bc GetEnvironmentStringsW 50097->50098 50099 2c438ef 50097->50099 50100 2c438c4 50098->50100 50101 2c438d0 GetEnvironmentStrings 50098->50101 50099->50100 50102 2c438e0 50099->50102 50104 2c438fc GetEnvironmentStringsW 50100->50104 50105 2c43908 WideCharToMultiByte 50100->50105 50101->50102 50103 2c41586 50101->50103 50102->50103 50106 2c43982 GetEnvironmentStrings 50102->50106 50107 2c4398e 50102->50107 50120 2c43654 50103->50120 50104->50103 50104->50105 50109 2c4393c 50105->50109 50110 2c4396e FreeEnvironmentStringsW 50105->50110 50106->50103 50106->50107 50111 2c41e0f 12 API calls 50107->50111 50112 2c41e0f 12 API calls 50109->50112 50110->50103 50118 2c439a9 50111->50118 50113 2c43942 50112->50113 50113->50110 50114 2c4394b WideCharToMultiByte 50113->50114 50116 2c4395c 50114->50116 50117 2c43965 50114->50117 50115 2c439bf FreeEnvironmentStringsA 50115->50103 50161 2c42172 50116->50161 50117->50110 50118->50115 50121 2c43666 50120->50121 50122 2c4366b GetModuleFileNameA 50120->50122 50174 2c47ed4 19 API calls 50121->50174 50124 2c4368e 50122->50124 50125 2c41e0f 12 API calls 50124->50125 50126 2c436af 50125->50126 50127 2c436bf 50126->50127 50175 2c415e1 7 API calls 50126->50175 50127->50062 50130 2c435a8 50129->50130 50132 2c435ad 50129->50132 50176 2c47ed4 19 API calls 50130->50176 50133 2c41e0f 12 API calls 50132->50133 50134 2c435da 50133->50134 50135 2c435ee 50134->50135 50177 2c415e1 7 API calls 50134->50177 50139 2c43631 50135->50139 50140 2c41e0f 12 API calls 50135->50140 50178 2c415e1 7 API calls 50135->50178 50137 2c42172 ctype 7 API calls 50138 2c4363d 50137->50138 50138->50064 50139->50137 50140->50135 50143 2c4aa59 50142->50143 50179 2be1000 GetModuleHandleA 50143->50179 50147 2c4209d GetCurrentProcess TerminateProcess ExitProcess 50147->50068 50148->50070 50149->50075 50150->50080 50151->50080 50156 2c41e21 50152->50156 50155 2c415e1 7 API calls 50155->50086 50157 2c41e1e 50156->50157 50159 2c41e28 50156->50159 50157->50086 50157->50155 50159->50157 50160 2c41e4d 12 API calls 50159->50160 50160->50159 50162 2c4217e 50161->50162 50170 2c4219a 50161->50170 50163 2c42188 ctype 50162->50163 50164 2c4219e ctype 50162->50164 50166 2c421ca HeapFree 50163->50166 50167 2c42194 50163->50167 50165 2c421c9 50164->50165 50169 2c421b8 50164->50169 50165->50166 50166->50170 50172 2c451e6 VirtualFree VirtualFree HeapFree ctype 50167->50172 50173 2c45f6d VirtualFree HeapFree VirtualFree ctype 50169->50173 50170->50117 50172->50170 50173->50170 50174->50122 50175->50127 50176->50132 50177->50135 50178->50135 50182 2be2210 50179->50182 50181 2be1039 50181->50147 50183 2c0d6a0 50182->50183 50184 2be2236 GetModuleHandleA 50183->50184 50185 2be2456 50184->50185 50186 2be2263 50184->50186 50189 2be227c 50185->50189 50190 2be2462 50185->50190 50187 2be2437 50186->50187 50188 2be2270 ExitProcess 50186->50188 50187->50181 50254 2be2020 GetEnvironmentStrings 50189->50254 50195 2be2475 50190->50195 50466 2bea270 202 API calls ctype 50190->50466 50194 2be22b7 50194->50187 50201 2be22d6 50194->50201 50276 2bf85c0 50194->50276 50195->50187 50196 2be24ba 50195->50196 50198 2bf3010 29 API calls 50195->50198 50442 2be7fb0 50196->50442 50198->50196 50200 2be234e GetModuleHandleA GetModuleFileNameA 50203 2be2381 50200->50203 50201->50200 50308 2c0d2b0 RtlInitializeCriticalSection 50201->50308 50329 2be1250 50203->50329 50206 2be22f0 50455 2c0cce0 GetModuleHandleA GetProcAddress GetVersionExA GetVersion 50206->50455 50207 2be24cb 50207->50181 50210 2be238b 50333 2bfb9e0 50210->50333 50211 2be22f5 50309 2c0c9f0 50211->50309 50215 2be22ff 50318 2bf2860 GetCurrentProcessId 50215->50318 50218 2be23a6 50349 2bfbb30 50218->50349 50219 2be2304 50324 2c0b620 50219->50324 50223 2be2316 50456 2bfbba0 GetVersionExA MultiByteToWideChar 50223->50456 50224 2be1250 50 API calls 50225 2be23ca 50224->50225 50354 2bf36b0 50225->50354 50228 2be23d6 SetEnvironmentVariableA 50232 2be23f7 50228->50232 50229 2be2320 50457 2beb6e0 RtlInitializeCriticalSection RtlInitializeCriticalSection 50229->50457 50236 2be2403 GetCommandLineA 50232->50236 50233 2be2325 50458 2bf1060 RtlInitializeCriticalSection RtlInitializeCriticalSection ctype 50233->50458 50235 2be232a 50459 2c02f80 RtlInitializeCriticalSection ctype 50235->50459 50238 2bf3010 29 API calls 50236->50238 50240 2be2417 50238->50240 50239 2be232f 50460 2c0a7b0 RtlInitializeCriticalSection RtlInitializeCriticalSection ctype 50239->50460 50240->50187 50405 2c055e0 50240->50405 50242 2be2334 50461 2c09370 20 API calls 50242->50461 50246 2be2339 50462 2c07cc0 20 API calls 50246->50462 50250 2be233e GetModuleHandleA 50250->50200 50467 2be11c0 50254->50467 50256 2be2042 FreeEnvironmentStringsA 50257 2be2059 50256->50257 50258 2be21f4 50257->50258 50259 2be2081 50257->50259 50258->50194 50468 2be1f20 6 API calls 50259->50468 50261 2be2093 50261->50258 50262 2be209e LoadLibraryA 50261->50262 50263 2be21cc 50262->50263 50264 2be20b6 VirtualProtect GetProcAddress 50262->50264 50474 2be27c0 TlsAlloc TlsAlloc TlsSetValue 50263->50474 50265 2be2154 FreeLibrary 50264->50265 50268 2be20eb 50264->50268 50265->50194 50267 2be21ec 50267->50258 50269 2be2168 GetProcAddress 50268->50269 50270 2be2123 50268->50270 50269->50263 50272 2be217d 50269->50272 50469 2c41dbe 50270->50469 50274 2be21aa 50272->50274 50275 2be2192 ExitProcess 50272->50275 50274->50194 50277 2bf85e8 50276->50277 50307 2bf87b3 50276->50307 50483 2bf8560 50277->50483 50280 2bf8644 50488 2c2fba0 GetLastError SetLastError WideCharToMultiByte SetEnvironmentVariableW SetEnvironmentVariableA 50280->50488 50281 2bf8652 50489 2c2fc60 GetCurrentDirectoryW GetCurrentDirectoryA MultiByteToWideChar ctype 50281->50489 50284 2bf8650 50285 2bf8560 6 API calls 50284->50285 50286 2bf868a 50285->50286 50287 2bf86a6 50286->50287 50288 2bf8691 50286->50288 50491 2c2fe30 GetModuleFileNameW GetModuleFileNameA MultiByteToWideChar 50287->50491 50490 2c2fba0 GetLastError SetLastError WideCharToMultiByte SetEnvironmentVariableW SetEnvironmentVariableA 50288->50490 50291 2bf86a4 50293 2bf8560 6 API calls 50291->50293 50292 2bf86c7 50292->50291 50294 2bf86ea 50293->50294 50295 2bf8731 50294->50295 50296 2bf86f1 50294->50296 50298 2bf8742 GetCurrentProcessId 50295->50298 50492 2c2fba0 GetLastError SetLastError WideCharToMultiByte SetEnvironmentVariableW SetEnvironmentVariableA 50296->50492 50300 2c41dbe 19 API calls 50298->50300 50299 2bf86fd 50493 2c2f9b0 GetLastError SetLastError WideCharToMultiByte GetFileAttributesW GetFileAttributesA 50299->50493 50302 2bf8775 CreateFileMappingA 50300->50302 50304 2bf8797 MapViewOfFile 50302->50304 50302->50307 50303 2bf870a 50303->50298 50494 2be27c0 TlsAlloc TlsAlloc TlsSetValue 50303->50494 50304->50307 50306 2bf8727 50306->50298 50307->50201 50308->50206 50310 2c0ca0f 50309->50310 50311 2c0ca29 GetCurrentProcessId 50310->50311 50510 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 50310->50510 50507 2be28e0 50311->50507 50316 2c0ca8a 50316->50215 50317 2c0ca6f MapViewOfFile 50317->50316 50319 2be28e0 4 API calls 50318->50319 50320 2bf2878 CreateFileMappingA 50319->50320 50523 2be2bd0 50320->50523 50322 2bf289f MapViewOfFile GetCommandLineA 50323 2bf28d4 50322->50323 50323->50219 50325 2c0b93c 50324->50325 50328 2c0b64b ctype 50324->50328 50325->50223 50327 2c0b83f MultiByteToWideChar MultiByteToWideChar 50327->50328 50328->50325 50328->50327 50525 2c0b5a0 50328->50525 50330 2be126b 50329->50330 50332 2be1290 50329->50332 50330->50332 50529 2bf0e10 50330->50529 50332->50210 50542 2bfb7f0 GetLastError 50333->50542 50335 2bfba03 50543 2bfb800 SetLastError 50335->50543 50337 2be239c 50338 2bfba80 50337->50338 50544 2bfb7f0 GetLastError 50338->50544 50340 2bfbaa2 50341 2bfbb0e 50340->50341 50343 2bfbab6 50340->50343 50347 2bfbad1 50340->50347 50546 2bfb800 SetLastError 50341->50546 50545 2bfb800 SetLastError 50343->50545 50344 2bfbb1a 50344->50218 50346 2bfbabf 50346->50218 50348 2bfbae6 WideCharToMultiByte 50347->50348 50348->50341 50547 2bfb7f0 GetLastError 50349->50547 50351 2bfbb52 ctype 50548 2bfb800 SetLastError 50351->50548 50353 2be23c0 50353->50224 50355 2bf36be 50354->50355 50356 2bf37fd 50355->50356 50357 2bf3a2d 50355->50357 50358 2bf3889 50355->50358 50359 2bf3ab6 50355->50359 50360 2bf36e5 50355->50360 50361 2bf3915 50355->50361 50362 2bf3771 50355->50362 50363 2bf39a1 50355->50363 50404 2bf3b31 50355->50404 50364 2bf3010 29 API calls 50356->50364 50371 2bf3010 29 API calls 50357->50371 50370 2bf3010 29 API calls 50358->50370 50368 2bf3010 29 API calls 50359->50368 50369 2bf3010 29 API calls 50360->50369 50367 2bf3010 29 API calls 50361->50367 50366 2bf3010 29 API calls 50362->50366 50365 2bf3010 29 API calls 50363->50365 50372 2bf380c 50364->50372 50373 2bf39b0 50365->50373 50374 2bf3780 50366->50374 50375 2bf3924 50367->50375 50376 2bf3ac5 50368->50376 50377 2bf36f4 50369->50377 50378 2bf3898 50370->50378 50379 2bf3a3c 50371->50379 50381 2bf3847 GetCommandLineA GetCurrentProcessId 50372->50381 50372->50404 50382 2bf39eb GetCommandLineA GetCurrentProcessId 50373->50382 50373->50404 50383 2bf37bb GetCommandLineA GetCurrentProcessId 50374->50383 50374->50404 50384 2bf395f GetCommandLineA GetCurrentProcessId 50375->50384 50375->50404 50385 2bf3af4 GetCommandLineA GetCurrentProcessId 50376->50385 50376->50404 50386 2bf372f GetCommandLineA GetCurrentProcessId 50377->50386 50377->50404 50387 2bf38d3 GetCommandLineA GetCurrentProcessId 50378->50387 50378->50404 50380 2bf3a77 GetCommandLineA GetCurrentProcessId 50379->50380 50379->50404 50390 2be28e0 4 API calls 50380->50390 50394 2be28e0 4 API calls 50381->50394 50395 2be28e0 4 API calls 50382->50395 50391 2be28e0 4 API calls 50383->50391 50392 2be28e0 4 API calls 50384->50392 50393 2be28e0 4 API calls 50385->50393 50388 2be28e0 4 API calls 50386->50388 50389 2be28e0 4 API calls 50387->50389 50396 2bf374d MessageBoxA 50388->50396 50397 2bf38f1 MessageBoxA 50389->50397 50398 2bf3a95 MessageBoxA 50390->50398 50399 2bf37d9 MessageBoxA 50391->50399 50400 2bf397d MessageBoxA 50392->50400 50401 2bf3b12 MessageBoxA 50393->50401 50402 2bf3865 MessageBoxA 50394->50402 50403 2bf3a09 MessageBoxA 50395->50403 50396->50404 50397->50404 50398->50404 50399->50404 50400->50404 50401->50404 50402->50404 50403->50404 50404->50228 50549 2c03140 50405->50549 51085 2be7ce0 50442->51085 50444 2be24c6 50445 2bea940 50444->50445 50446 2bea951 50445->50446 50447 2bea9f3 50446->50447 50450 2bea9a0 FreeLibrary 50446->50450 50451 2bf3010 29 API calls 50446->50451 51134 2bf57d0 50447->51134 50452 2bea99d 50450->50452 50453 2bea9d1 DeleteFileA 50450->50453 50451->50452 50452->50450 50452->50453 50454 2bf3010 29 API calls 50452->50454 50453->50446 50454->50452 50455->50211 50456->50229 50457->50233 50458->50235 50459->50239 50460->50242 50461->50246 50462->50250 50466->50195 50467->50256 50468->50261 50475 2c4494e 50469->50475 50473 2be213d MessageBoxA 50473->50265 50474->50267 50476 2c41deb 50475->50476 50478 2c44973 __aulldiv __aullrem 50475->50478 50476->50473 50482 2c44839 18 API calls 50476->50482 50477 2c4508f 18 API calls 50477->50478 50478->50476 50478->50477 50479 2c484ab WideCharToMultiByte 50478->50479 50480 2c450c4 18 API calls 50478->50480 50481 2c450f5 18 API calls 50478->50481 50479->50478 50480->50478 50481->50478 50482->50473 50495 2c2fad0 50483->50495 50485 2bf857e 50485->50280 50485->50281 50486 2bf857a 50486->50485 50487 2c2fad0 6 API calls 50486->50487 50487->50485 50488->50284 50489->50284 50490->50291 50491->50292 50492->50299 50493->50303 50494->50306 50496 2c2faed 50495->50496 50497 2c2faf1 GetEnvironmentVariableW 50496->50497 50498 2c2fb17 50496->50498 50497->50486 50499 2bfb9e0 2 API calls 50498->50499 50500 2c2fb36 50499->50500 50501 2bfba80 3 API calls 50500->50501 50502 2c2fb4b GetEnvironmentVariableA 50501->50502 50503 2bfbb30 2 API calls 50502->50503 50504 2c2fb65 50503->50504 50505 2c2fb69 MultiByteToWideChar 50504->50505 50506 2c2fb82 ctype 50504->50506 50505->50506 50506->50486 50511 2be2e10 50507->50511 50509 2be2922 CreateFileMappingA 50509->50316 50509->50317 50510->50311 50512 2be2e3f 50511->50512 50515 2c0db70 50512->50515 50514 2be2e5a 50514->50509 50520 2c0db7c ctype 50515->50520 50516 2c0de92 50516->50514 50519 2c0dc98 WideCharToMultiByte 50519->50520 50520->50516 50520->50519 50521 2be27c0 TlsAlloc TlsAlloc TlsSetValue 50520->50521 50522 2c0db50 TlsAlloc TlsAlloc TlsSetValue WideCharToMultiByte 50520->50522 50521->50520 50522->50520 50524 2be2bd9 ctype 50523->50524 50524->50322 50526 2c0b5c3 GetProcAddress 50525->50526 50527 2c0b5af LoadLibraryA 50525->50527 50528 2c0b5d3 50526->50528 50527->50526 50527->50528 50528->50328 50532 2bf0d70 50529->50532 50533 2bf0d7f 50532->50533 50534 2bf0d88 GetLongPathNameA 50532->50534 50533->50534 50535 2bf0d9f 50533->50535 50534->50535 50536 2bf0de2 50534->50536 50541 2bf06d0 20 API calls 50535->50541 50537 2bf0dfe 50536->50537 50539 2bf3010 29 API calls 50536->50539 50537->50332 50539->50537 50540 2bf0de0 50540->50536 50541->50540 50542->50335 50543->50337 50544->50340 50545->50346 50546->50344 50547->50351 50548->50353 50925 2c0cf30 50549->50925 50551 2c0314b 50947 2c0d100 50551->50947 50553 2c03181 50556 2c0d100 5 API calls 50553->50556 50554 2c03161 50554->50553 50555 2c0d100 5 API calls 50554->50555 50555->50553 50557 2c03198 50556->50557 50558 2c031b8 50557->50558 50560 2c0d100 5 API calls 50557->50560 50559 2c0d100 5 API calls 50558->50559 50561 2c031cf 50559->50561 50560->50558 50562 2c0d100 5 API calls 50561->50562 50563 2c031e3 50562->50563 50564 2c0d100 5 API calls 50563->50564 50565 2c031f7 50564->50565 50566 2c0d100 5 API calls 50565->50566 50567 2c0320b 50566->50567 50568 2c0d100 5 API calls 50567->50568 50569 2c03222 50568->50569 50570 2c0d100 5 API calls 50569->50570 50571 2c03236 50570->50571 50572 2c0d100 5 API calls 50571->50572 50573 2c0324a 50572->50573 50574 2c0d100 5 API calls 50573->50574 50575 2c0325e 50574->50575 50576 2c0d100 5 API calls 50575->50576 50577 2c03275 50576->50577 50578 2c0d100 5 API calls 50577->50578 50579 2c03289 50578->50579 50580 2c0d100 5 API calls 50579->50580 50581 2c0329d 50580->50581 50582 2c0d100 5 API calls 50581->50582 50583 2c032b1 50582->50583 50584 2c0d100 5 API calls 50583->50584 50585 2c032c8 50584->50585 50586 2c0d100 5 API calls 50585->50586 50587 2c032dc 50586->50587 50588 2c0d100 5 API calls 50587->50588 50589 2c032f0 50588->50589 50590 2c0d100 5 API calls 50589->50590 50591 2c03304 50590->50591 50592 2c0d100 5 API calls 50591->50592 50593 2c0331b 50592->50593 50594 2c0333b 50593->50594 50595 2c0d100 5 API calls 50593->50595 50596 2c0d100 5 API calls 50594->50596 50595->50594 50597 2c03355 50596->50597 50598 2c03378 50597->50598 50600 2c0d100 5 API calls 50597->50600 50599 2c0d100 5 API calls 50598->50599 50602 2c0338f 50599->50602 50600->50598 50601 2c033b2 50604 2c0d100 5 API calls 50601->50604 50602->50601 50603 2c0d100 5 API calls 50602->50603 50603->50601 50605 2c033c9 50604->50605 50606 2c033e9 50605->50606 50608 2c0d100 5 API calls 50605->50608 50607 2c0d100 5 API calls 50606->50607 50610 2c03400 50607->50610 50608->50606 50609 2c03420 50612 2c0d100 5 API calls 50609->50612 50610->50609 50611 2c0d100 5 API calls 50610->50611 50611->50609 50613 2c03437 50612->50613 50614 2c03457 50613->50614 50616 2c0d100 5 API calls 50613->50616 50615 2c0d100 5 API calls 50614->50615 50618 2c0346e 50615->50618 50616->50614 50617 2c0348e 50620 2c0d100 5 API calls 50617->50620 50618->50617 50619 2c0d100 5 API calls 50618->50619 50619->50617 50621 2c034a5 50620->50621 50622 2c034c5 50621->50622 50624 2c0d100 5 API calls 50621->50624 50623 2c0d100 5 API calls 50622->50623 50625 2c034dc 50623->50625 50624->50622 50929 2c0cf58 50925->50929 50926 2c0cf91 50928 2c0d8e0 2 API calls 50926->50928 50930 2c0cfaa 50928->50930 50929->50926 50963 2c41fa5 15 API calls 50929->50963 50931 2c0d030 50930->50931 50932 2c0cfbd 50930->50932 50936 2c0d04b 50931->50936 50938 2c0d078 50931->50938 50967 2c43360 15 API calls 50931->50967 50964 2c0cda0 RtlEnterCriticalSection 50932->50964 50935 2c0cfc7 50937 2c0cda0 2 API calls 50935->50937 50939 2c0d063 50936->50939 50968 2c0d910 RtlLeaveCriticalSection 50936->50968 50940 2c0cfde 50937->50940 50943 2c0cda0 2 API calls 50938->50943 50939->50551 50941 2c0d0e4 50940->50941 50969 2c0d910 RtlLeaveCriticalSection 50940->50969 50941->50551 50944 2c0d082 50943->50944 50946 2c0cda0 2 API calls 50944->50946 50946->50940 50948 2c0d125 50947->50948 50949 2c0d297 50947->50949 50950 2c0d1ff 50948->50950 50951 2c0d8e0 2 API calls 50948->50951 50949->50554 50950->50949 50952 2c0d8e0 2 API calls 50950->50952 50953 2c0d160 50951->50953 50954 2c0d223 50952->50954 50955 2c0cda0 2 API calls 50953->50955 50956 2c0cda0 2 API calls 50954->50956 50957 2c0d16f 50955->50957 50959 2c0d232 50956->50959 50958 2c0cda0 2 API calls 50957->50958 50961 2c0d186 50958->50961 50959->50949 50959->50959 50971 2c0d910 RtlLeaveCriticalSection 50959->50971 50961->50950 50970 2c0d910 RtlLeaveCriticalSection 50961->50970 50963->50929 50965 2c0cdc0 50964->50965 50966 2c0cde6 RtlLeaveCriticalSection 50965->50966 50966->50935 50967->50931 50968->50939 50969->50941 50970->50950 50971->50949 51086 2c0d8e0 2 API calls 51085->51086 51087 2be7d11 51086->51087 51088 2be7f49 51087->51088 51089 2be7d55 51087->51089 51090 2be7f54 51088->51090 51132 2c0d910 RtlLeaveCriticalSection 51088->51132 51091 2bf36b0 57 API calls 51089->51091 51094 2be7f7a FreeLibrary 51090->51094 51098 2be7eff 51090->51098 51093 2be7d6c 51091->51093 51096 2be7dae 51093->51096 51097 2be7de2 51093->51097 51104 2be7d87 51093->51104 51095 2be7f98 51094->51095 51094->51098 51095->50444 51099 2be7dcd 51096->51099 51123 2c0d910 RtlLeaveCriticalSection 51096->51123 51103 2be7e05 51097->51103 51097->51104 51098->51095 51133 2c0d910 RtlLeaveCriticalSection 51098->51133 51099->50444 51101 2bf3010 29 API calls 51101->51098 51105 2bf3010 29 API calls 51103->51105 51106 2be7e26 51103->51106 51104->51098 51104->51101 51105->51106 51106->51098 51107 2be7e66 51106->51107 51124 2c0d910 RtlLeaveCriticalSection 51106->51124 51125 2be7890 41 API calls ctype 51107->51125 51110 2be7e76 51111 2be7e7d 51110->51111 51120 2be7eb4 51110->51120 51126 2be7cb0 GetModuleHandleA GetProcAddress 51111->51126 51113 2c0d8e0 2 API calls 51113->51120 51114 2be7e88 51114->51099 51127 2c0d910 RtlLeaveCriticalSection 51114->51127 51115 2be7ef5 51131 2c0d910 RtlLeaveCriticalSection 51115->51131 51118 2be7e9f 51118->50444 51120->51113 51120->51115 51128 2c0d910 RtlLeaveCriticalSection 51120->51128 51129 2be72b0 202 API calls 51120->51129 51130 2be77b0 37 API calls 51120->51130 51123->51099 51124->51107 51125->51110 51126->51114 51127->51118 51128->51120 51129->51120 51130->51120 51131->51098 51132->51090 51133->51095 51135 2bf57da 51134->51135 51136 2bea9fd 51135->51136 51137 2bf57f0 51135->51137 51136->50207 51138 2bf580d GetFileAttributesA 51137->51138 51139 2bf5839 51137->51139 51140 2bf581d RemoveDirectoryA 51137->51140 51141 2bf582a DeleteFileA 51137->51141 51138->51137 51139->51136 51140->51137 51141->51137 51143 201dc8 51144 201dd4 ___scrt_is_nonwritable_in_current_image 51143->51144 51165 201b1f 51144->51165 51146 201ddb 51147 201f34 51146->51147 51150 201e05 51146->51150 51212 2023f0 6 API calls 51147->51212 51149 201f3b exit 51151 201f41 _exit 51149->51151 51152 201e09 _initterm_e 51150->51152 51155 201e52 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 51150->51155 51153 201e24 51152->51153 51154 201e35 _initterm 51152->51154 51154->51155 51156 201ea6 _get_initial_narrow_environment __p___argv __p___argc 51155->51156 51159 201e9e _register_thread_local_exe_atexit_callback 51155->51159 51169 201340 51156->51169 51159->51156 51161 201ecc 51161->51149 51162 201ed0 51161->51162 51163 201ed4 _cexit 51162->51163 51164 201ed9 ___scrt_uninitialize_crt 51162->51164 51163->51164 51164->51153 51166 201b28 51165->51166 51213 2020b3 IsProcessorFeaturePresent 51166->51213 51168 201b34 ___scrt_uninitialize_crt 51168->51146 51175 20137a 51169->51175 51207 2013fe 51169->51207 51171 2016ac 51211 20250d GetModuleHandleW 51171->51211 51176 20138d 51175->51176 51177 201406 51175->51177 51214 2012b0 MultiByteToWideChar 51176->51214 51178 201423 51177->51178 51181 201543 51177->51181 51220 201780 51178->51220 51180 20142e 51200 201484 51180->51200 51238 201890 16 API calls Concurrency::cancel_current_task 51180->51238 51182 201560 51181->51182 51188 20166f 51181->51188 51185 201780 16 API calls 51182->51185 51189 20156e 51185->51189 51186 20149f 51190 2012b0 5 API calls 51186->51190 51187 20144c 51239 201700 _invalid_parameter_noinfo_noreturn 51187->51239 51192 201684 SetEnvironmentVariableA 51188->51192 51188->51207 51209 2015c4 51189->51209 51242 201890 16 API calls Concurrency::cancel_current_task 51189->51242 51204 2014b6 51190->51204 51192->51207 51194 201458 51194->51200 51206 20147e _invalid_parameter_noinfo_noreturn 51194->51206 51196 20158c 51243 201700 _invalid_parameter_noinfo_noreturn 51196->51243 51197 2015df SetEnvironmentVariableA 51205 2015fd 51197->51205 51199 201526 51241 201110 __acrt_iob_func __stdio_common_vfprintf _printf 51199->51241 51240 201890 16 API calls Concurrency::cancel_current_task 51200->51240 51201 201598 51201->51209 51210 2015be _invalid_parameter_noinfo_noreturn 51201->51210 51203 201520 _invalid_parameter_noinfo_noreturn 51203->51199 51204->51199 51204->51203 51205->51207 51208 20165d _invalid_parameter_noinfo_noreturn 51205->51208 51206->51200 51245 201a3a 5 API calls ___raise_securityfailure 51207->51245 51208->51207 51244 201890 16 API calls Concurrency::cancel_current_task 51209->51244 51210->51209 51211->51161 51212->51149 51213->51168 51246 201cfa 51214->51246 51221 2017b0 51220->51221 51221->51221 51222 2017c5 51221->51222 51223 20187c 51221->51223 51224 2017ca memcpy 51222->51224 51233 2017ee 51222->51233 51249 2012a0 6 API calls 51223->51249 51224->51180 51226 2017fb 51247 201200 5 API calls Concurrency::cancel_current_task 51226->51247 51227 201881 51250 201200 _CxxThrowException __std_exception_copy Concurrency::cancel_current_task 51227->51250 51229 201852 memcpy 51229->51180 51231 201886 51232 201849 51248 201200 5 API calls Concurrency::cancel_current_task 51232->51248 51233->51226 51233->51227 51233->51229 51233->51232 51235 20180e 51236 201817 51235->51236 51237 201843 _invalid_parameter_noinfo_noreturn 51235->51237 51236->51229 51237->51232 51238->51187 51239->51194 51240->51186 51241->51207 51242->51196 51243->51201 51244->51197 51245->51171 51247->51235 51248->51236 51249->51227 51250->51231 51251 2010ea 51252 201780 16 API calls 51251->51252 51253 2010ef 51252->51253 51256 201ce5 _crt_atexit _register_onexit_function 51253->51256 51255 2010f9 51256->51255 51257 2bffc30 51265 2bff9b0 51257->51265 51259 2bffc5a 51260 2bffc61 WriteFile 51259->51260 51264 2bffc72 51259->51264 51260->51264 51261 2bffcfd 51262 2bffcd7 GetLastError 51263 2bf3010 29 API calls 51262->51263 51263->51261 51264->51261 51264->51262 51266 2bfcc90 7 API calls 51265->51266 51267 2bff9dc 51266->51267 51268 2bffbac 51267->51268 51269 2bffba7 51267->51269 51270 2bffa00 SetFilePointer 51267->51270 51271 2bffbc3 51268->51271 51299 2bfccc0 7 API calls 51268->51299 51298 2bfccc0 7 API calls 51269->51298 51276 2bffa33 51270->51276 51279 2bffa3f 51270->51279 51271->51259 51291 2bff930 51276->51291 51278 2bffb02 51280 2bffb2c GetLastError 51278->51280 51281 2bffb3e 51278->51281 51279->51278 51282 2bffab8 WriteFile 51279->51282 51283 2bf3010 29 API calls 51280->51283 51284 2bffb4f GetLastError SetEvent SetLastError 51281->51284 51285 2bffb60 SetLastError 51281->51285 51282->51278 51282->51279 51283->51281 51284->51285 51286 2bffb6e 51285->51286 51287 2bffb73 51285->51287 51296 2bfccc0 7 API calls 51286->51296 51289 2bffb94 51287->51289 51297 2bfccc0 7 API calls 51287->51297 51289->51259 51292 2bff93f 51291->51292 51293 2bff957 51292->51293 51295 2bff970 51292->51295 51293->51292 51300 2c06ef0 8 API calls 51293->51300 51295->51279 51296->51287 51297->51289 51298->51268 51299->51271 51300->51293 51301 2bfc210 GetModuleHandleA 51302 2bfc31d 51301->51302 51303 2bfc248 GetModuleFileNameA 51301->51303 51304 2be40e0 37 API calls 51303->51304 51305 2bfc26c 51304->51305 51308 2bfc273 51305->51308 51315 2bfbfc0 82 API calls ctype 51305->51315 51308->51302 51316 2be7740 37 API calls 51308->51316 51310 2c41dbe 19 API calls 51311 2bfc2d2 51310->51311 51311->51308 51311->51310 51317 2c0ce40 18 API calls 51311->51317 51318 2c0ecd0 39 API calls 51311->51318 51319 2c0d3a0 70 API calls 51311->51319 51320 2bf4340 68 API calls 51311->51320 51315->51311 51316->51302 51317->51311 51318->51311 51319->51311 51320->51311 51321 2c01850 51322 2bfcc90 7 API calls 51321->51322 51323 2c0187c GetCurrentProcess 51322->51323 51324 2c01946 51323->51324 51325 2c01896 51323->51325 51326 2c01957 DuplicateHandle 51324->51326 51344 2bfccc0 7 API calls 51324->51344 51325->51324 51328 2c018aa 51325->51328 51341 2c01902 51326->51341 51331 2bf3010 29 API calls 51328->51331 51329 2c01953 51329->51326 51330 2c019a6 51333 2c019be 51330->51333 51345 2bfccc0 7 API calls 51330->51345 51335 2c018c1 51331->51335 51332 2bf3010 29 API calls 51332->51330 51336 2c018ec 51335->51336 51338 2c018f5 51335->51338 51342 2c00790 93 API calls 51336->51342 51338->51341 51343 2bfccc0 7 API calls 51338->51343 51339 2c018f2 51339->51338 51341->51330 51341->51332 51342->51339 51343->51341 51344->51329 51345->51333 51346 2c09210 GetProfileStringA 51347 2c09242 51346->51347 51348 2c09263 51346->51348 51349 2bf3010 29 API calls 51347->51349 51349->51348 51350 2c11af0 51353 2c11bd0 51350->51353 51352 2c11af8 ctype 51358 2c11a70 51353->51358 51355 2c11bde 51356 2c11be6 CloseHandle 51355->51356 51357 2c11bed 51355->51357 51356->51357 51357->51352 51359 2c11a7a UnmapViewOfFile 51358->51359 51360 2c11a9e 51358->51360 51359->51360 51361 2c11a85 51359->51361 51360->51355 51362 2c11a9a 51361->51362 51363 2c11a8c CloseHandle 51361->51363 51362->51355 51363->51362 51364 2be97ef 51365 2be97fc LoadLibraryA 51364->51365 51366 2be97f6 51364->51366 51367 2c11b10 ReadFile 51368 2bfe88c 51369 2bfe8d4 51368->51369 51370 2bfe890 51368->51370 51373 2c19740 51370->51373 51372 2bfe8a9 CreateFileA 51374 2c198b3 51373->51374 51375 2c19769 51373->51375 51374->51372 51375->51374 51393 2bfb7f0 GetLastError 51375->51393 51377 2c19792 51378 2bee270 71 API calls 51377->51378 51382 2c1979e 51377->51382 51378->51382 51379 2c198a2 51396 2bfb800 SetLastError 51379->51396 51381 2bfba80 3 API calls 51381->51382 51382->51379 51382->51381 51384 2c19800 51382->51384 51394 2c19620 15 API calls 51382->51394 51385 2bfba80 3 API calls 51384->51385 51386 2c19812 51385->51386 51387 2be28e0 4 API calls 51386->51387 51388 2c19830 51387->51388 51389 2c1986b 51388->51389 51390 2bf3010 29 API calls 51388->51390 51395 2bfb800 SetLastError 51389->51395 51390->51389 51392 2c1988d 51392->51372 51393->51377 51394->51382 51395->51392 51396->51374 51397 2bfdea3 51398 2bfdeb3 CreateFileA 51397->51398 51399 2bfded0 GetCurrentProcess GetCurrentProcess DuplicateHandle 51397->51399 51398->51399 51400 2bfdefb 51399->51400 51401 2bfdf28 51399->51401 51417 2be27c0 TlsAlloc TlsAlloc TlsSetValue 51400->51417 51418 2bfde10 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection 51401->51418 51404 2bfdf32 51405 2bfdf39 CreateFileA 51404->51405 51407 2bfdf1e 51404->51407 51419 2bfde10 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection 51405->51419 51406 2bfdfb6 51410 2bfdffa GetLastError 51406->51410 51411 2bfe126 51406->51411 51407->51406 51421 2be27c0 TlsAlloc TlsAlloc TlsSetValue 51407->51421 51415 2bfe00a 51410->51415 51412 2bfdf5b 51412->51407 51420 2be27c0 TlsAlloc TlsAlloc TlsSetValue 51412->51420 51414 2bfdf84 51414->51407 51416 2bfe11b SetLastError 51415->51416 51416->51411 51417->51407 51418->51404 51419->51412 51420->51414 51421->51406 51422 2be13c2 51519 2bebab0 51422->51519 51424 2be1860 51561 2be5910 51424->51561 51426 2be13fd 51426->51424 51428 2be1424 51426->51428 51799 2c02700 80 API calls 51426->51799 51539 2bf5c10 51428->51539 51429 2be196a 51735 2bf6f10 51429->51735 51436 2be19b8 51438 2be19cd 51436->51438 51779 2be6fb0 51436->51779 51437 2be1542 51552 2bf6410 51437->51552 51439 2bf6470 430 API calls 51438->51439 51442 2be19e4 51439->51442 51835 2bf5840 51442->51835 51446 2be1567 51451 2bf6f10 250 API calls 51446->51451 51447 2be19f6 51449 2be1a19 51447->51449 51452 2bf5840 6 API calls 51447->51452 51453 2bf6470 430 API calls 51449->51453 51450 2be1492 51450->51437 51800 2bf7460 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51450->51800 51801 2bf74d0 51450->51801 51461 2be158d 51451->51461 51452->51449 51455 2be1a26 51453->51455 51456 2bf6470 430 API calls 51455->51456 51458 2be1a33 51456->51458 51462 2bfc920 38 API calls 51458->51462 51460 2bf6470 430 API calls 51463 2be1781 51460->51463 51464 2be28e0 4 API calls 51461->51464 51517 2be175e 51461->51517 51465 2be1a74 51462->51465 51466 2bf6470 430 API calls 51463->51466 51467 2be1624 51464->51467 51472 2be1a9e VirtualProtect 51465->51472 51473 2be1adc 51465->51473 51480 2be1afb 51465->51480 51468 2be178e 51466->51468 51819 2bfb930 GetLastError SetLastError MultiByteToWideChar 51467->51819 51474 2bf6470 430 API calls 51468->51474 51469 2be1c5e 51844 2be4720 73 API calls 51469->51844 51470 2be1c17 51843 2be4940 GetModuleHandleA GetModuleFileNameA RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51470->51843 51477 2be1aba VirtualProtect 51472->51477 51478 2be1ad2 51472->51478 51473->51480 51484 2bf3010 29 API calls 51473->51484 51481 2be179b 51474->51481 51476 2be165f 51491 2bfbb30 2 API calls 51476->51491 51477->51478 51478->51473 51480->51469 51480->51470 51485 2bf6470 430 API calls 51481->51485 51482 2be1c2f 51486 2bf3010 29 API calls 51482->51486 51483 2be1c68 51487 2be1c6c 51483->51487 51488 2be1c71 51483->51488 51484->51480 51489 2be17a8 51485->51489 51490 2be1c5b 51486->51490 51845 2be10d0 204 API calls 51487->51845 51846 2be4720 73 API calls 51488->51846 51494 2bf6470 430 API calls 51489->51494 51490->51469 51496 2be16ac 51491->51496 51495 2be17b5 51494->51495 51499 2be17c6 51495->51499 51510 2be17d2 ctype 51495->51510 51500 2be28e0 4 API calls 51496->51500 51497 2be1c7d 51498 2be1cb2 51497->51498 51516 2be1cec ctype 51497->51516 51847 2be4940 GetModuleHandleA GetModuleFileNameA RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51498->51847 51832 2bf59e0 7 API calls 51499->51832 51503 2be16d6 51500->51503 51820 2bfb930 GetLastError SetLastError MultiByteToWideChar 51503->51820 51504 2be1cca 51507 2bf3010 29 API calls 51504->51507 51505 2be17cf 51505->51510 51509 2be1ce9 51507->51509 51508 2be1711 51513 2bfbb30 2 API calls 51508->51513 51509->51516 51833 2bf7740 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection ctype 51510->51833 51511 2be1da0 51849 2bf7740 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection ctype 51511->51849 51513->51517 51516->51511 51848 2be7740 37 API calls 51516->51848 51821 2bf6470 51517->51821 51518 2be1db6 51520 2bebaf6 51519->51520 51523 2bebba9 51520->51523 51864 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51520->51864 51522 2bebb59 51865 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51522->51865 51525 2c0d8e0 2 API calls 51523->51525 51527 2bebc6f 51525->51527 51526 2bebb83 51866 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51526->51866 51850 2bf26d0 51527->51850 51529 2bebb96 51867 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51529->51867 51535 2bf74d0 3 API calls 51536 2bebcbc 51535->51536 51863 2c0d910 RtlLeaveCriticalSection 51536->51863 51538 2bebcc7 51538->51426 51870 2c136d0 51539->51870 51541 2bf5c3d 51875 2be35d0 51541->51875 51543 2bf5c47 ctype 51544 2bf5ec1 51543->51544 51549 2bf3010 29 API calls 51543->51549 51551 2bf5ddc VirtualProtect DisableThreadLibraryCalls 51543->51551 51878 2bea250 51543->51878 51545 2be35d0 29 API calls 51544->51545 51546 2bf5ec7 51545->51546 51881 2c13730 29 API calls 51546->51881 51548 2bf5edb 51548->51450 51549->51543 51551->51543 51553 2be35d0 29 API calls 51552->51553 51554 2bf6419 51553->51554 51555 2bf7240 202 API calls 51554->51555 51557 2bf6423 51555->51557 51556 2be1555 51807 2bfc920 51556->51807 51557->51556 51558 2be7fb0 202 API calls 51557->51558 51928 2c24fb0 51557->51928 51985 2c3a770 51557->51985 51558->51557 51562 2c136d0 30 API calls 51561->51562 51565 2be5945 51562->51565 51563 2be5a35 52017 2c0f670 24 API calls 51563->52017 51565->51563 51569 2be28e0 4 API calls 51565->51569 51629 2be5987 51565->51629 51567 2be1947 51567->51429 51834 2be27c0 TlsAlloc TlsAlloc TlsSetValue 51567->51834 51568 2be5a61 51576 2be5aa8 51568->51576 52036 2c41fa5 15 API calls 51568->52036 51570 2be59f4 51569->51570 52035 2bfb930 GetLastError SetLastError MultiByteToWideChar 51570->52035 51573 2c0d8e0 2 API calls 51573->51576 51574 2be5a0d 51577 2bfbb30 2 API calls 51574->51577 51575 2be5af9 52018 2c0d910 RtlLeaveCriticalSection 51575->52018 51576->51573 51576->51575 51579 2be5ae9 51576->51579 51577->51563 52037 2c0d910 RtlLeaveCriticalSection 51579->52037 51580 2be5b13 51582 2c0d8e0 2 API calls 51580->51582 51584 2be5b26 51582->51584 51583 2be5af3 Sleep 51583->51576 51585 2be5c42 51584->51585 51586 2be5b78 51584->51586 52019 2c0d910 RtlLeaveCriticalSection 51585->52019 51588 2be5b8a 51586->51588 52038 2be7740 37 API calls 51586->52038 51591 2bf74d0 3 API calls 51588->51591 51589 2be5c4d 51592 2be5d44 51589->51592 51598 2be5c80 51589->51598 51594 2be5bc5 51591->51594 51593 2be5d62 51592->51593 51595 2bf3010 29 API calls 51592->51595 51597 2be35d0 29 API calls 51593->51597 52039 2c0d910 RtlLeaveCriticalSection 51594->52039 51595->51593 51603 2be5d6b 51597->51603 51601 2c0d8e0 2 API calls 51598->51601 51599 2be5bd0 51600 2c0d8e0 2 API calls 51599->51600 51724 2be5be2 51600->51724 51610 2be5c92 51601->51610 51605 2be5e0a 51603->51605 51606 2be5db0 51603->51606 52020 2bff1b0 51605->52020 51608 2be35d0 29 API calls 51606->51608 51611 2be5db7 51608->51611 51609 2be5e3c 51612 2be6d56 51609->51612 51614 2be5e58 51609->51614 52040 2c0d910 RtlLeaveCriticalSection 51610->52040 51613 2c0d8e0 2 API calls 51611->51613 51615 2be35d0 29 API calls 51612->51615 51634 2be5dcc 51613->51634 52025 2c00110 51614->52025 51618 2be6d5d 51615->51618 51616 2be6c50 52077 2c13730 29 API calls 51616->52077 51617 2be5cf6 52041 2c13730 29 API calls 51617->52041 52079 2c12b40 92 API calls 51618->52079 51624 2be5eaa 51626 2bff1b0 60 API calls 51624->51626 51625 2be6d71 51627 2c0d8e0 2 API calls 51625->51627 51628 2be5ec1 51626->51628 51627->51634 51630 2be6ca1 51628->51630 51631 2be5ed9 51628->51631 52081 2c13730 29 API calls 51629->52081 51632 2be35d0 29 API calls 51630->51632 51633 2bff1b0 60 API calls 51631->51633 51635 2be6ca8 ctype 51632->51635 51636 2be5eef 51633->51636 52080 2c0d910 RtlLeaveCriticalSection 51634->52080 52078 2c12b40 92 API calls 51635->52078 51637 2bff1b0 60 API calls 51636->51637 51638 2be5f08 51637->51638 51640 2be5f15 51638->51640 51648 2be5fca 51638->51648 51642 2be35d0 29 API calls 51640->51642 51641 2be6cde 51644 2c0d8e0 2 API calls 51641->51644 51645 2be5f1c ctype 51642->51645 51643 2be6015 51647 2be35d0 29 API calls 51643->51647 51644->51634 52042 2c12b40 92 API calls 51645->52042 51646 2bff1b0 60 API calls 51646->51648 51650 2be601c 51647->51650 51648->51643 51648->51646 51653 2be61a7 51650->51653 52030 2c0ec90 51650->52030 51652 2be5f52 51655 2c0d8e0 2 API calls 51652->51655 51656 2be6111 51653->51656 51657 2bf3010 29 API calls 51653->51657 51655->51634 51658 2be61fe 51656->51658 51659 2be623b 51656->51659 51665 2be621d 51656->51665 51657->51656 51661 2c06f60 4 API calls 51658->51661 51662 2c06f60 4 API calls 51659->51662 51664 2be620c 51661->51664 51666 2be6249 51662->51666 51663 2be60ba 51663->51653 51667 2be60d2 51663->51667 52046 2c07270 VirtualProtect 51664->52046 51669 2be40e0 37 API calls 51665->51669 51670 2c07270 38 API calls 51666->51670 51671 2be611e 51667->51671 51672 2be60e2 51667->51672 51679 2be632c 51669->51679 51670->51665 51673 2c06f60 4 API calls 51671->51673 51675 2be613c 51671->51675 51676 2be6150 51671->51676 52044 2be27c0 TlsAlloc TlsAlloc TlsSetValue 51672->52044 51673->51671 51675->51671 52045 2c06ef0 8 API calls 51675->52045 51676->51656 51678 2be616a VirtualQuery 51676->51678 51680 2bf3010 29 API calls 51678->51680 51698 2be63d8 ctype 51679->51698 52057 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51679->52057 51680->51656 51682 2be6677 52061 2be5480 73 API calls 51682->52061 51683 2be6388 52058 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51683->52058 51685 2be6694 52062 2c129f0 92 API calls 51685->52062 51687 2be63b2 52059 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51687->52059 51688 2be6691 51688->51685 51691 2be63c5 52060 2c0d8a0 RtlInitializeCriticalSection RtlInitializeCriticalSection 51691->52060 51693 2be669d 51697 2be66f2 51693->51697 52063 2c13530 39 API calls 51693->52063 51695 2be67c5 51700 2be67e8 51695->51700 52064 2be58e0 39 API calls 51695->52064 51697->51695 51699 2c07270 38 API calls 51697->51699 51698->51682 51698->51685 51699->51697 51716 2be6888 51700->51716 52065 2be7740 37 API calls 51700->52065 51701 2be6b4b 51703 2be6b67 51701->51703 51706 2be6b62 51701->51706 51704 2be6b7c ctype 51703->51704 52074 2be7740 37 API calls 51703->52074 52075 2c12b40 92 API calls 51704->52075 51705 2c0d8e0 2 API calls 51705->51716 52073 2be3f70 39 API calls 51706->52073 51710 2be6bbc 51712 2c0d8e0 2 API calls 51710->51712 51711 2be6ace 51713 2bf26d0 29 API calls 51711->51713 51712->51724 51714 2be6ae7 51713->51714 52070 2bf6aa0 GetCurrentThreadId GetCurrentThreadId RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51714->52070 51715 2bf3010 29 API calls 51734 2be6936 ctype 51715->51734 51716->51701 51716->51705 51716->51711 51723 2be6ab4 Sleep 51716->51723 51716->51734 52069 2c0d910 RtlLeaveCriticalSection 51716->52069 51721 2bf74d0 3 API calls 51721->51734 51722 2be6b09 52071 2c0d910 RtlLeaveCriticalSection 51722->52071 51723->51701 51723->51734 52076 2c0d910 RtlLeaveCriticalSection 51724->52076 51727 2be6b14 51728 2be6b3e 51727->51728 51729 2be6b21 51727->51729 51731 2bf74d0 3 API calls 51728->51731 52072 2c12bc0 90 API calls ctype 51729->52072 51731->51701 51732 2be6b37 51732->51728 51733 2c0d920 RtlDeleteCriticalSection 51733->51734 51734->51715 51734->51716 51734->51721 51734->51733 52066 2be3f70 39 API calls 51734->52066 52067 2be7740 37 API calls 51734->52067 52068 2be3310 8 API calls 51734->52068 51736 2c0d8e0 2 API calls 51735->51736 51739 2bf6f3a 51736->51739 51737 2be19af 51750 2bf7240 51737->51750 51740 2bf6fa5 51739->51740 51749 2bf6f49 ctype 51739->51749 52166 2c0d910 RtlLeaveCriticalSection 51739->52166 51742 2bf7057 51740->51742 51747 2bf6fd6 ctype 51740->51747 51743 2bf7240 202 API calls 51742->51743 51744 2bf7061 51743->51744 52168 2bf7740 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection ctype 51744->52168 51748 2bf7056 51747->51748 52167 2c12bc0 90 API calls ctype 51747->52167 51748->51742 51749->51737 52169 2c0d910 RtlLeaveCriticalSection 51749->52169 51751 2bf726f 51750->51751 51752 2bf727c 51750->51752 51751->51752 52170 2bf6bc0 51751->52170 51752->51436 51754 2bf72b2 52174 2bf6c60 51754->52174 51757 2bf72d9 51759 2bf7424 51757->51759 51763 2c0d8e0 RtlInitializeCriticalSection RtlEnterCriticalSection 51757->51763 51765 2bf7322 GetCurrentThreadId 51757->51765 51767 2bf7351 GetCurrentThreadId 51757->51767 51769 2c0d910 RtlLeaveCriticalSection 51757->51769 51775 2bf73f5 GetLastError 51757->51775 51778 2bf3010 29 API calls 51757->51778 52181 2be3810 51757->52181 52204 2bf6b40 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51757->52204 52205 2bf7460 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51757->52205 52206 2bf6cc0 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51759->52206 51761 2bf742a 52207 2bf76b0 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51761->52207 51763->51757 51764 2bf7434 ctype 51764->51436 51765->51757 51766 2bf7330 51765->51766 52203 2c0d910 RtlLeaveCriticalSection 51766->52203 52180 2c0d910 RtlLeaveCriticalSection 51767->52180 51769->51757 51771 2bf733a Sleep 51771->51757 51776 2be7fb0 197 API calls 51775->51776 51777 2bf7403 SetLastError 51776->51777 51777->51757 51778->51757 51781 2be6fc1 51779->51781 51780 2be70b2 51783 2be71c8 GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 51780->51783 51784 2be70cf GetCurrentThread 51780->51784 51785 2be70e4 GetProcessHeap RtlAllocateHeap 51780->51785 51781->51780 51782 2c0d8e0 2 API calls 51781->51782 51791 2be7011 51782->51791 51786 2c0d8e0 2 API calls 51783->51786 51788 2bf3010 29 API calls 51784->51788 51787 2c0d8e0 2 API calls 51785->51787 51789 2be71f8 GetCurrentThreadId 51786->51789 51793 2be7150 51787->51793 51790 2be70e1 51788->51790 51794 2be7221 51789->51794 51790->51785 51791->51780 52377 2c0d910 RtlLeaveCriticalSection 51791->52377 51795 2be71c6 51793->51795 52378 2c0d910 RtlLeaveCriticalSection 51793->52378 52379 2c0d910 RtlLeaveCriticalSection 51794->52379 51795->51783 51798 2be72a0 51798->51438 51799->51428 51800->51450 51802 2bf74e5 51801->51802 51803 2c0d8e0 2 API calls 51802->51803 51806 2bf752a ctype 51802->51806 51804 2bf7510 51803->51804 52380 2c0d910 RtlLeaveCriticalSection 51804->52380 51806->51450 51808 2bfc9f1 51807->51808 51817 2bfc946 51807->51817 51808->51446 51809 2bfc9c5 51810 2bfc9ce 51809->51810 51811 2bfc9e7 51809->51811 52381 2bfc680 51810->52381 52391 2bfc790 32 API calls 51811->52391 51814 2bfc9ec 51814->51808 51815 2bfc9d3 51815->51446 51816 2bfc98f LoadLibraryA 51816->51809 51818 2bfc9b4 GetProcAddress 51816->51818 51817->51809 51817->51816 51818->51809 51819->51476 51820->51508 51822 2be35d0 29 API calls 51821->51822 51826 2bf647b 51822->51826 51823 2bf651f 51824 2be35d0 29 API calls 51823->51824 51825 2be1774 51824->51825 51825->51460 51826->51823 51827 2bf3010 29 API calls 51826->51827 51828 2be7fb0 202 API calls 51826->51828 52394 2de83a3 51826->52394 52401 2de8390 51826->52401 52408 2de80c6 51826->52408 51827->51826 51828->51826 51832->51505 51833->51424 51834->51429 51839 2bf5860 51835->51839 51836 2bf59af 51836->51447 51837 2bf597e CreateDirectoryA 51837->51839 51838 2bf5958 CreateDirectoryA 51838->51839 51842 2bf5961 51838->51842 51839->51836 51839->51837 51839->51838 52832 2bf56e0 TlsAlloc TlsAlloc TlsSetValue WideCharToMultiByte 51839->52832 51842->51839 52831 2bf56e0 TlsAlloc TlsAlloc TlsSetValue WideCharToMultiByte 51842->52831 51843->51482 51844->51483 51845->51488 51846->51497 51847->51504 51848->51511 51849->51518 51851 2bf26ee 51850->51851 51852 2bf270e 51850->51852 51854 2bf3010 29 API calls 51851->51854 51853 2bebc9e 51852->51853 51855 2c0d8e0 2 API calls 51852->51855 51858 2bf6e10 51853->51858 51854->51852 51856 2bf272e 51855->51856 51868 2c0d910 RtlLeaveCriticalSection 51856->51868 51859 2c0d8e0 2 API calls 51858->51859 51860 2bf6e3c 51859->51860 51861 2bebca8 51860->51861 51869 2c0d910 RtlLeaveCriticalSection 51860->51869 51861->51535 51863->51538 51864->51522 51865->51526 51866->51529 51867->51523 51868->51853 51869->51861 51871 2c13721 51870->51871 51872 2c136e8 InterlockedIncrement 51870->51872 51871->51541 51873 2bf3010 29 API calls 51872->51873 51874 2c13715 51873->51874 51874->51541 51882 2be35b0 51875->51882 51885 2be9fb0 51878->51885 51881->51548 51883 2bf3010 29 API calls 51882->51883 51884 2be35c4 51883->51884 51884->51543 51886 2be40e0 37 API calls 51885->51886 51888 2be9fea 51886->51888 51887 2bea043 51889 2bea053 GetProcAddress 51887->51889 51900 2bea04f 51887->51900 51888->51887 51890 2bea000 51888->51890 51889->51900 51921 2c18c00 72 API calls 51890->51921 51892 2bea13e 51894 2bea1c1 GetLastError 51892->51894 51918 2bea133 51892->51918 51893 2bea00e 51893->51892 51922 2c18c00 72 API calls 51893->51922 51896 2bea1da 51894->51896 51897 2bea1d5 51894->51897 51896->51543 51927 2be7740 37 API calls 51897->51927 51899 2bea163 51904 2bea19e 51899->51904 51905 2bea185 51899->51905 51900->51892 51907 2bea088 GetModuleFileNameA 51900->51907 51902 2bea029 51902->51892 51903 2bea036 SetLastError 51902->51903 51903->51892 51908 2bf3010 29 API calls 51904->51908 51906 2bf3010 29 API calls 51905->51906 51909 2bea199 51906->51909 51907->51892 51910 2bea0a3 51907->51910 51908->51909 51909->51894 51923 2c0ce40 18 API calls 51910->51923 51912 2bea102 51912->51918 51925 2bf4340 68 API calls 51912->51925 51913 2bea0fa 51924 2c0d3a0 70 API calls 51913->51924 51914 2bea0af 51914->51912 51914->51913 51917 2bea0d3 51914->51917 51919 2be9fb0 82 API calls 51917->51919 51918->51892 51926 2be4940 GetModuleHandleA GetModuleFileNameA RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51918->51926 51920 2bea0e1 51919->51920 51920->51896 51920->51897 51921->51893 51922->51902 51923->51914 51924->51912 51925->51918 51926->51899 51927->51896 51929 2c24fdd 51928->51929 51930 2c250a0 51929->51930 51938 2c24ffe 51929->51938 51931 2c251c3 51930->51931 51932 2c250ab GetCurrentProcessId 51930->51932 51933 2c25098 51931->51933 51995 2c23df0 51931->51995 51936 2be28e0 4 API calls 51932->51936 51933->51557 51937 2c250cc OpenFileMappingA 51936->51937 51939 2c250e5 51937->51939 51940 2be28e0 4 API calls 51938->51940 51941 2c250ed MapViewOfFile 51939->51941 51965 2c2516c 51939->51965 51945 2c25049 51940->51945 51942 2c2510b 51941->51942 52002 2c0dab0 TlsAlloc TlsAlloc TlsSetValue 51942->52002 51944 2c251a9 52008 2c23b50 86 API calls 51944->52008 51948 2c25091 51945->51948 51949 2c2507d 51945->51949 51947 2c2511a 52003 2be2940 TlsAlloc TlsAlloc TlsSetValue ctype 51947->52003 52001 2c24f20 9 API calls 51948->52001 51952 2c23df0 3 API calls 51949->51952 51956 2c25082 51952->51956 51954 2c25128 52004 2be2940 TlsAlloc TlsAlloc TlsSetValue ctype 51954->52004 51955 2c251be 51955->51933 51999 2c1c420 80 API calls ctype 51956->51999 51959 2c25138 52005 2be2940 TlsAlloc TlsAlloc TlsSetValue ctype 51959->52005 51960 2c25088 52000 2c006e0 92 API calls 51960->52000 51963 2c25148 UnmapViewOfFile CloseHandle 52006 2c267e0 97 API calls ctype 51963->52006 52007 2c24f20 9 API calls 51965->52007 51966 2c251d1 51967 2c25579 RegOpenKeyExA 51966->51967 51970 2c25598 ctype 51967->51970 51968 2be28e0 4 API calls 51969 2c25743 51968->51969 51971 2c25776 51969->51971 51972 2c2579d 51969->51972 51970->51968 52009 2c1c420 80 API calls ctype 51971->52009 52013 2c24f20 9 API calls 51972->52013 51975 2c257a3 51977 2c3a770 89 API calls 51975->51977 51976 2c2577c 52010 2c24030 25 API calls 51976->52010 51979 2c257ab 51977->51979 52014 2c3d400 74 API calls 51979->52014 51981 2c25781 51982 2c25797 51981->51982 52011 2c1c3a0 WideCharToMultiByte 51981->52011 52012 2c006e0 92 API calls 51982->52012 51986 2c3a792 51985->51986 51987 2c3a799 GetCurrentProcessId 51985->51987 51988 2be28e0 4 API calls 51986->51988 51987->51986 51989 2c3a7be OpenFileMappingA 51988->51989 51990 2c3a7ea 51989->51990 51991 2c3a7f2 MapViewOfFile 51990->51991 51994 2c3a853 51990->51994 51992 2c3a83b 51991->51992 51992->51994 52016 2c39e00 86 API calls 51992->52016 51994->51557 51998 2c23e1b ctype 51995->51998 51996 2c2401a 51996->51966 51998->51996 52015 2c1a380 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 51998->52015 51999->51960 52000->51948 52001->51933 52002->51947 52003->51954 52004->51959 52005->51963 52006->51965 52007->51944 52008->51955 52009->51976 52010->51981 52011->51982 52012->51972 52013->51975 52014->51933 52015->51998 52016->51994 52017->51568 52018->51580 52019->51589 52082 2bff830 52020->52082 52022 2bff1d7 52023 2bff1db ReadFile 52022->52023 52024 2bff1f1 52022->52024 52023->51609 52024->51609 52126 2bfffd0 16 API calls 52025->52126 52027 2c00132 52028 2c00139 SetFilePointer 52027->52028 52029 2c0014a 52027->52029 52028->51624 52029->51624 52127 2c0e9e0 52030->52127 52032 2c0eca1 52033 2be607e 52032->52033 52163 2c0e730 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52032->52163 52033->51653 52043 2be33a0 VirtualAlloc RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52033->52043 52035->51574 52036->51568 52037->51583 52038->51588 52039->51599 52040->51617 52041->51567 52042->51652 52043->51663 52044->51656 52045->51675 52047 2c072b8 52046->52047 52048 2c0732f 52046->52048 52164 2be41c0 37 API calls 52047->52164 52048->51665 52050 2c072cd 52051 2c072f4 52050->52051 52052 2c072d4 52050->52052 52054 2bf3010 29 API calls 52051->52054 52053 2bf3010 29 API calls 52052->52053 52055 2c072ef 52053->52055 52054->52055 52055->52048 52165 2be7740 37 API calls 52055->52165 52057->51683 52058->51687 52059->51691 52060->51698 52061->51688 52062->51693 52063->51697 52064->51700 52065->51716 52066->51716 52067->51734 52068->51734 52069->51716 52070->51722 52071->51727 52072->51732 52073->51703 52074->51704 52075->51710 52076->51616 52077->51567 52078->51641 52079->51625 52080->51629 52081->51567 52083 2bfcc90 7 API calls 52082->52083 52084 2bff858 52083->52084 52085 2bff90b 52084->52085 52088 2bff885 52084->52088 52086 2bff91c 52085->52086 52114 2bfccc0 7 API calls 52085->52114 52086->52022 52089 2bff889 52088->52089 52090 2bff8b0 52088->52090 52098 2bff4e0 GetLastError 52089->52098 52092 2bff8a4 52090->52092 52093 2bff8b5 52090->52093 52096 2bff8f7 52092->52096 52113 2bfccc0 7 API calls 52092->52113 52112 2bff400 GetLastError SetFilePointer ReadFile SetFilePointer SetLastError 52093->52112 52095 2bff8d0 52095->52092 52096->52022 52102 2bff517 52098->52102 52099 2bff736 52100 2bff75c SetLastError 52099->52100 52101 2bff752 SetEvent 52099->52101 52100->52092 52101->52100 52102->52099 52103 2c0d8e0 2 API calls 52102->52103 52105 2bff6da IsBadWritePtr 52102->52105 52108 2c0d910 RtlLeaveCriticalSection 52102->52108 52109 2bff930 8 API calls 52102->52109 52110 2bf3010 29 API calls 52102->52110 52123 2c352f0 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52102->52123 52104 2bff5c1 SetFilePointer 52103->52104 52115 2bff780 52104->52115 52105->52099 52105->52102 52108->52102 52109->52102 52110->52102 52112->52095 52113->52096 52114->52086 52116 2c0d8e0 2 API calls 52115->52116 52117 2bff78a 52116->52117 52120 2bff7ae ctype 52117->52120 52124 2be27c0 TlsAlloc TlsAlloc TlsSetValue 52117->52124 52119 2bff5f2 ReadFile 52119->52102 52120->52119 52121 2bff7ee 52120->52121 52121->52119 52121->52120 52125 2c06ef0 8 API calls 52121->52125 52123->52102 52124->52120 52125->52121 52126->52027 52128 2c0e9fc CreateFileMappingA 52127->52128 52129 2c0ec7f 52127->52129 52130 2c0ea1b CreateFileMappingA 52128->52130 52131 2c0ea3d MapViewOfFile 52128->52131 52129->52032 52130->52131 52134 2c0ec6e CloseHandle 52130->52134 52132 2c0ea52 MapViewOfFile 52131->52132 52133 2c0ea68 52131->52133 52132->52133 52132->52134 52135 2c00110 17 API calls 52133->52135 52134->52032 52136 2c0ea7f 52135->52136 52137 2c00110 17 API calls 52136->52137 52138 2c0ea8f 52137->52138 52139 2bff1b0 60 API calls 52138->52139 52151 2c0eaa2 52139->52151 52140 2c0eb59 52141 2c00110 17 API calls 52140->52141 52142 2c0eb72 52141->52142 52143 2c07270 38 API calls 52142->52143 52145 2c0eb98 52143->52145 52144 2c00110 17 API calls 52144->52151 52146 2c0ebab 52145->52146 52148 2c07270 38 API calls 52145->52148 52149 2c0ebe5 UnmapViewOfFile 52146->52149 52150 2c07270 38 API calls 52146->52150 52147 2bff1b0 60 API calls 52147->52151 52148->52146 52152 2c0ebf3 MapViewOfFileEx 52149->52152 52153 2c0ebc2 52150->52153 52151->52140 52151->52144 52151->52147 52152->52134 52156 2c0ec12 MapViewOfFile 52152->52156 52155 2c0ebd5 52153->52155 52157 2c07270 38 API calls 52153->52157 52155->52149 52156->52134 52158 2c0ec26 MapViewOfFileEx 52156->52158 52157->52155 52158->52134 52159 2c0ec3c MapViewOfFile 52158->52159 52159->52134 52160 2c0ec4a 52159->52160 52160->52134 52161 2bf3010 29 API calls 52160->52161 52162 2c0ec6b 52161->52162 52162->52134 52163->52033 52164->52050 52165->52048 52166->51740 52167->51747 52168->51749 52169->51737 52171 2bf6c00 52170->52171 52173 2bf6c3c ctype 52171->52173 52208 2bf6b70 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52171->52208 52173->51754 52175 2bf6c6e 52174->52175 52176 2bf6cb6 52175->52176 52178 2bf6cb0 Sleep 52175->52178 52209 2bf6aa0 GetCurrentThreadId GetCurrentThreadId RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52175->52209 52210 2bf6b40 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52175->52210 52176->51757 52202 2bf6cf0 34 API calls ctype 52176->52202 52178->52175 52180->51757 52182 2be3842 InterlockedIncrement 52181->52182 52188 2be3853 52181->52188 52182->52188 52183 2be3956 52185 2be3976 52183->52185 52187 2bf3010 29 API calls 52183->52187 52184 2be386d 52184->52183 52186 2bf3010 29 API calls 52184->52186 52185->51757 52186->52183 52187->52185 52188->52184 52191 2be3991 52188->52191 52189 2be3a42 52211 2c0f5c0 52189->52211 52191->52189 52194 2bf3010 29 API calls 52191->52194 52201 2be3ae4 52191->52201 52194->52189 52197 2be3a83 52198 2be3ab4 52197->52198 52199 2bf3010 29 API calls 52197->52199 52200 2bf3010 29 API calls 52198->52200 52198->52201 52199->52198 52200->52201 52201->51757 52202->51757 52203->51771 52204->51757 52205->51757 52206->51761 52207->51764 52208->52171 52209->52175 52210->52175 52212 2be3a58 52211->52212 52213 2c0f5cc RtlEnterCriticalSection 52211->52213 52214 2be35f0 52212->52214 52213->52212 52220 2dec88e 52214->52220 52249 2be99f0 52214->52249 52270 2deda6f HeapCreate 52214->52270 52215 2be362c 52219 2c0f5e0 RtlLeaveCriticalSection 52215->52219 52219->52197 52221 2dec89b GetVersion 52220->52221 52222 2dec923 52220->52222 52223 2deda6f 60 API calls 52221->52223 52224 2dec955 52222->52224 52225 2dec929 52222->52225 52228 2dec8ad 52223->52228 52226 2dec8ee 52224->52226 52336 2ded788 31 API calls 52224->52336 52225->52226 52229 2dec944 52225->52229 52332 2deca75 32 API calls 52225->52332 52226->52215 52228->52226 52282 2ded69c 52228->52282 52333 2df07fe 30 API calls 52229->52333 52233 2dec949 52334 2ded6f0 35 API calls 52233->52334 52234 2dec8e5 52236 2dec8e9 52234->52236 52237 2dec8f2 GetCommandLineA 52234->52237 52329 2dedacc 6 API calls 52236->52329 52292 2df0b58 52237->52292 52239 2dec94e 52335 2dedacc 6 API calls 52239->52335 52244 2dec90c 52330 2df090b 49 API calls 52244->52330 52246 2dec911 52331 2df0852 48 API calls 52246->52331 52248 2dec916 52248->52226 52250 2be9aa1 52249->52250 52251 2be9afe 52250->52251 52252 2be9aa8 52250->52252 52253 2bf7240 200 API calls 52251->52253 52254 2be9ab5 LoadLibraryA 52252->52254 52255 2be9ab1 LoadLibraryA 52252->52255 52256 2be9ac8 52253->52256 52257 2be9abb 52254->52257 52255->52257 52259 2be9ade 52256->52259 52260 2be9b17 52256->52260 52257->52256 52258 2bfc920 38 API calls 52257->52258 52258->52256 52262 2bf3010 29 API calls 52259->52262 52263 2be9b25 52260->52263 52266 2be9af9 52260->52266 52262->52266 52265 2bf3010 29 API calls 52263->52265 52265->52266 52372 2be3f70 39 API calls 52266->52372 52267 2be9b39 ctype 52373 2bf7740 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection ctype 52267->52373 52269 2be9b87 52269->52215 52271 2deda8f 52270->52271 52272 2dedac5 52270->52272 52374 2ded927 57 API calls 52271->52374 52272->52215 52274 2deda94 52275 2deda9e 52274->52275 52276 2dedaab 52274->52276 52375 2dedb74 HeapAlloc 52275->52375 52278 2dedac8 52276->52278 52376 2dee6bb HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 52276->52376 52278->52215 52279 2dedaa8 52279->52278 52281 2dedab9 HeapDestroy 52279->52281 52281->52272 52337 2decc43 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 52282->52337 52284 2ded6a2 TlsAlloc 52285 2ded6ec 52284->52285 52286 2ded6b2 52284->52286 52285->52234 52338 2df11a5 30 API calls 52286->52338 52288 2ded6bb 52288->52285 52289 2ded6c3 TlsSetValue 52288->52289 52289->52285 52290 2ded6d4 52289->52290 52291 2ded6da GetCurrentThreadId 52290->52291 52291->52234 52293 2df0ba6 52292->52293 52294 2df0b73 GetEnvironmentStringsW 52292->52294 52295 2df0b7b 52293->52295 52297 2df0b97 52293->52297 52294->52295 52296 2df0b87 GetEnvironmentStrings 52294->52296 52298 2df0bbf WideCharToMultiByte 52295->52298 52299 2df0bb3 GetEnvironmentStringsW 52295->52299 52296->52297 52300 2dec902 52296->52300 52297->52300 52301 2df0c39 GetEnvironmentStrings 52297->52301 52302 2df0c45 52297->52302 52304 2df0c25 FreeEnvironmentStringsW 52298->52304 52305 2df0bf3 52298->52305 52299->52298 52299->52300 52315 2df0642 52300->52315 52301->52300 52301->52302 52306 2deb4df 29 API calls 52302->52306 52304->52300 52339 2deb4df 52305->52339 52313 2df0c60 52306->52313 52309 2df0c02 WideCharToMultiByte 52311 2df0c13 52309->52311 52312 2df0c1c 52309->52312 52310 2df0c76 FreeEnvironmentStringsA 52310->52300 52342 2deb619 29 API calls 52311->52342 52312->52304 52313->52310 52316 2deb4df 29 API calls 52315->52316 52317 2df0655 52316->52317 52318 2df0663 GetStartupInfoA 52317->52318 52371 2deca04 7 API calls 52317->52371 52326 2df0782 52318->52326 52328 2df06b1 52318->52328 52321 2df07ed SetHandleCount 52321->52244 52322 2df07ad GetStdHandle 52324 2df07bb GetFileType 52322->52324 52322->52326 52323 2deb4df 29 API calls 52323->52328 52324->52326 52325 2df0728 52325->52326 52327 2df074a GetFileType 52325->52327 52326->52321 52326->52322 52327->52325 52328->52323 52328->52325 52328->52326 52329->52226 52330->52246 52331->52248 52332->52229 52333->52233 52334->52239 52335->52226 52336->52226 52337->52284 52338->52288 52343 2deb4f1 52339->52343 52342->52312 52344 2deb4ee 52343->52344 52346 2deb4f8 52343->52346 52344->52304 52344->52309 52346->52344 52347 2deb51d 52346->52347 52348 2deb54a 52347->52348 52350 2deb58d 52347->52350 52354 2deb578 52348->52354 52365 2deccd8 29 API calls 52348->52365 52353 2deb5af 52350->52353 52350->52354 52351 2deb560 52366 2dedf10 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 52351->52366 52352 2deb5fc RtlAllocateHeap 52362 2deb57f 52352->52362 52368 2deccd8 29 API calls 52353->52368 52354->52352 52354->52362 52357 2deb56b 52367 2deb584 LeaveCriticalSection 52357->52367 52358 2deb5b6 52369 2dee9b3 6 API calls 52358->52369 52361 2deb5c9 52370 2deb5e3 LeaveCriticalSection 52361->52370 52362->52346 52364 2deb5d6 52364->52354 52364->52362 52365->52351 52366->52357 52367->52354 52368->52358 52369->52361 52370->52364 52371->52318 52372->52267 52373->52269 52374->52274 52375->52279 52376->52279 52377->51780 52378->51795 52379->51798 52380->51806 52382 2c136d0 30 API calls 52381->52382 52383 2bfc6ad GetCurrentProcess K32EnumProcessModules 52382->52383 52384 2bfc6e1 52383->52384 52386 2bfc706 52383->52386 52385 2bfc6e7 GetCurrentProcess EnumProcessModules 52384->52385 52385->52386 52392 2bfc550 RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52386->52392 52388 2bfc724 ctype 52393 2c13730 29 API calls 52388->52393 52390 2bfc752 52390->51815 52391->51814 52392->52388 52393->52390 52395 2de83a5 ctype 52394->52395 52396 2de83c6 52395->52396 52397 2de83d0 52395->52397 52463 2de6bc9 52396->52463 52400 2de83cd ctype 52397->52400 52515 2de5fe2 52397->52515 52400->51826 52402 2de83a5 ctype 52401->52402 52403 2de83c6 52402->52403 52404 2de83d0 52402->52404 52405 2de6bc9 239 API calls 52403->52405 52406 2de5fe2 111 API calls 52404->52406 52407 2de83cd ctype 52404->52407 52405->52407 52406->52407 52407->51826 52409 2de80d0 __EH_prolog 52408->52409 52410 2de8409 52409->52410 52420 2de80f2 52409->52420 52411 2de840f 52410->52411 52413 2de847c 52410->52413 52790 2de56ce GetModuleHandleA 52411->52790 52414 2de8498 52413->52414 52415 2de84a1 52413->52415 52462 2de83cd ctype 52413->52462 52416 2de6bc9 239 API calls 52414->52416 52417 2de5fe2 111 API calls 52415->52417 52415->52462 52416->52462 52417->52462 52418 2de8414 52418->52462 52735 2de7fca 52420->52735 52421 2de817a 52422 2de81b1 52421->52422 52424 2de81b6 52421->52424 52789 2de7bc4 ExitProcess 52422->52789 52425 2de81d8 GetSystemTime 52424->52425 52426 2de81f8 52425->52426 52745 2de5244 52426->52745 52428 2de8228 ctype 52752 2de1b55 52428->52752 52431 2de1b55 3 API calls 52432 2de825f 52431->52432 52756 2de1bcd 52432->52756 52435 2de1bcd 3 API calls 52436 2de8281 52435->52436 52437 2de1bcd 3 API calls 52436->52437 52438 2de8292 52437->52438 52439 2de1bcd 3 API calls 52438->52439 52440 2de82a3 52439->52440 52441 2de1bcd 3 API calls 52440->52441 52442 2de82b4 52441->52442 52760 2dea33d 52442->52760 52444 2de82fc 52776 2dea4cb 52444->52776 52446 2de8310 52447 2de9399 3 API calls 52446->52447 52449 2de8320 ctype 52447->52449 52448 2de83b7 52451 2de83c6 52448->52451 52452 2de83d0 52448->52452 52449->52448 52450 2de8df7 50 API calls 52449->52450 52453 2de8372 52450->52453 52454 2de6bc9 239 API calls 52451->52454 52455 2de5fe2 111 API calls 52452->52455 52452->52462 52456 2de5cee 86 API calls 52453->52456 52454->52462 52455->52462 52457 2de837a 52456->52457 52458 2de5fe2 111 API calls 52457->52458 52459 2de8380 52458->52459 52459->52448 52460 2de8388 52459->52460 52461 2de838a ExitProcess 52459->52461 52460->52461 52462->51826 52464 2de6bd3 __EH_prolog 52463->52464 52465 2de5fe2 111 API calls 52464->52465 52466 2de6be1 GetModuleHandleA 52465->52466 52467 2de6c00 52466->52467 52468 2de6c06 52467->52468 52469 2de7699 52467->52469 52471 2de6c2f 52467->52471 52486 2de6d1c ctype 52467->52486 52468->52469 52530 2de5cee 52468->52530 52554 2de5a3b 52469->52554 52475 2de6c3c 6 API calls 52471->52475 52473 2de76a9 52473->52400 52474 2de7677 GetSystemTime SystemTimeToFileTime 52474->52469 52560 2de520b 52475->52560 52477 2de7645 52477->52468 52479 2de764a DestroyWindow UnregisterClassA 52477->52479 52479->52468 52481 2de6cde CreateWindowExA #17 CreateFontA 52508 2de6e07 ctype 52481->52508 52482 2de520b 4 API calls 52482->52486 52483 2de6dca CreateWindowExA SendMessageA 52565 2de8938 16 API calls 52483->52565 52485 2de5bfa 96 API calls 52485->52508 52486->52477 52486->52482 52486->52483 52487 2de737b CreateWindowExA SendMessageA SendMessageA 52486->52487 52486->52508 52488 2de73d0 SendMessageA 52487->52488 52488->52486 52489 2de6b31 6 API calls 52489->52508 52491 2de74b1 CreateWindowExA SendMessageA 52491->52508 52492 2de7500 CreateWindowExA SendMessageA 52492->52508 52494 2de754e CreateWindowExA SendMessageA 52494->52508 52495 2deac37 GetModuleHandleA CreateWindowExA SendMessageA 52495->52508 52496 2de7573 ShowWindow 52496->52508 52497 2de758a GetMessageA TranslateMessage DispatchMessageA 52499 2de75c0 GetWindowTextA EnableWindow 52497->52499 52497->52508 52498 2de75eb ExitProcess 52498->52508 52499->52508 52501 2de746d SendMessageA 52501->52486 52502 2de75fc EnumChildWindows 52502->52508 52503 2de5fe2 111 API calls 52503->52508 52505 2de520b TlsSetValue TlsAlloc TlsAlloc WideCharToMultiByte 52505->52508 52506 2de726a SendMessageA CreateWindowExA SendMessageA 52506->52508 52508->52485 52508->52486 52508->52489 52508->52491 52508->52492 52508->52494 52508->52495 52508->52497 52508->52498 52508->52501 52508->52502 52508->52503 52508->52505 52510 2de594f 24 API calls 52508->52510 52511 2de72dd CreateWindowExA SendMessageA 52508->52511 52512 2de70d5 SendMessageA 52508->52512 52513 2de7323 CreateWindowExA EnableWindow SendMessageA 52508->52513 52514 2de7225 SendMessageA 52508->52514 52566 2de594f 24 API calls 2 library calls 52508->52566 52567 2de9399 52508->52567 52573 2de594f 24 API calls 2 library calls 52508->52573 52574 2de7b58 GetDesktopWindow GetWindowRect GetWindowRect SetWindowPos 52508->52574 52509 2de6f9d SendMessageA 52509->52508 52510->52508 52511->52508 52512->52508 52513->52508 52514->52508 52516 2de5fec __EH_prolog 52515->52516 52671 2de5a92 52516->52671 52518 2de5ffa ctype 52519 2de8df7 50 API calls 52518->52519 52520 2de602c 52519->52520 52521 2de5b38 66 API calls 52520->52521 52522 2de6049 52521->52522 52523 2de60e0 10 API calls 52522->52523 52524 2de605d 52523->52524 52675 2de6670 52524->52675 52526 2de607c 52527 2de60be 52526->52527 52528 2de609a GetSystemTime SystemTimeToFileTime 52526->52528 52527->52400 52529 2de5cee 86 API calls 52528->52529 52529->52527 52532 2de5cf8 __EH_prolog 52530->52532 52531 2de5ecb ctype 52535 2de5e28 ctype 52531->52535 52575 2de9a81 52531->52575 52532->52531 52589 2de8df7 52532->52589 52535->52474 52538 2de5d49 52597 2de586f GetSystemTime SystemTimeToFileTime 52538->52597 52540 2de5d54 52598 2de5b38 52540->52598 52542 2de5d6f 52542->52535 52608 2de60e0 GetSystemTime SystemTimeToFileTime 52542->52608 52544 2de5db0 52545 2de8df7 50 API calls 52544->52545 52546 2de5ddf 52545->52546 52547 2de5b38 66 API calls 52546->52547 52548 2de5df9 52547->52548 52549 2de60e0 10 API calls 52548->52549 52550 2de5e15 52549->52550 52550->52531 52550->52535 52551 2de5a3b 16 API calls 52550->52551 52552 2de5e91 52551->52552 52552->52535 52553 2de5a3b 16 API calls 52552->52553 52553->52531 52555 2de5a45 __EH_prolog 52554->52555 52556 2de520b 4 API calls 52555->52556 52557 2de5a58 52556->52557 52558 2de9a81 16 API calls 52557->52558 52559 2de5a6f ctype 52558->52559 52559->52473 52561 2de5215 __EH_prolog 52560->52561 52653 2de5528 52561->52653 52563 2de5235 RegisterClassA 52564 2de56b4 52563->52564 52564->52481 52565->52508 52566->52509 52568 2de93a3 __EH_prolog 52567->52568 52570 2de93c7 52568->52570 52665 2de1628 TlsSetValue TlsAlloc TlsAlloc 52568->52665 52666 2de8b8f 52570->52666 52572 2de9407 ctype 52572->52508 52573->52506 52574->52496 52620 2deb4c0 52575->52620 52577 2de9a8b GetSystemTime SystemTimeToFileTime 52580 2de9abc ctype 52577->52580 52578 2de9d0f WriteProfileStringA 52578->52580 52579 2de9c4f GetTempPathA 52581 2de520b 4 API calls 52579->52581 52580->52578 52580->52579 52582 2de9e09 RegCreateKeyA RegSetValueExA RegCloseKey 52580->52582 52586 2de520b TlsSetValue TlsAlloc TlsAlloc WideCharToMultiByte 52580->52586 52588 2de9dd5 52580->52588 52621 2de25f0 52580->52621 52583 2de9c79 GetFileAttributesA 52581->52583 52582->52580 52583->52580 52584 2de9c90 CreateDirectoryA 52583->52584 52584->52580 52585 2de9c9e GetFileAttributesA 52584->52585 52585->52580 52586->52580 52588->52535 52590 2de8e01 __EH_prolog 52589->52590 52591 2de8e54 52590->52591 52592 2de8e2d 52590->52592 52636 2de1628 TlsSetValue TlsAlloc TlsAlloc 52591->52636 52635 2de9060 50 API calls 2 library calls 52592->52635 52595 2de5d32 52595->52531 52596 2de586f GetSystemTime SystemTimeToFileTime 52595->52596 52596->52538 52597->52540 52599 2de5b42 __EH_prolog 52598->52599 52637 2de586f GetSystemTime SystemTimeToFileTime 52599->52637 52601 2de5b4f 52602 2de520b 4 API calls 52601->52602 52603 2de5b79 52602->52603 52638 2de9e55 52603->52638 52607 2de5b9d ctype 52607->52542 52610 2de6110 52608->52610 52609 2de6177 FileTimeToSystemTime FileTimeToSystemTime FileTimeToSystemTime SystemTimeToTzSpecificLocalTime 52611 2de61bb 52609->52611 52612 2de61c5 SystemTimeToTzSpecificLocalTime 52609->52612 52610->52609 52611->52612 52613 2de61ef SystemTimeToTzSpecificLocalTime 52612->52613 52614 2de61df 52612->52614 52618 2de6209 52613->52618 52614->52613 52615 2de63b8 CompareFileTime 52616 2de63e7 52615->52616 52617 2de63f5 CompareFileTime 52616->52617 52619 2de6424 52616->52619 52617->52619 52618->52615 52618->52616 52619->52544 52620->52577 52622 2de25fa __EH_prolog 52621->52622 52625 2de2682 CreateFileA 52622->52625 52626 2de2658 52622->52626 52630 2de266c 52622->52630 52624 2de26c9 52624->52630 52633 2de1628 TlsSetValue TlsAlloc TlsAlloc 52624->52633 52625->52624 52629 2de270b 52625->52629 52632 2de1644 TlsSetValue TlsAlloc TlsAlloc 52626->52632 52629->52630 52634 2de24fe GetFileSize 52629->52634 52630->52580 52632->52630 52633->52630 52634->52630 52635->52595 52636->52595 52637->52601 52649 2de9e5f __EH_prolog ctype 52638->52649 52639 2de520b TlsSetValue TlsAlloc TlsAlloc WideCharToMultiByte 52639->52649 52640 2de9fcd GetProfileStringA 52640->52649 52641 2de9f34 GetTempPathA 52643 2de520b 4 API calls 52641->52643 52642 2de999d 6 API calls 52642->52649 52643->52649 52644 2dea003 GetProfileStringA 52644->52649 52645 2de25f0 5 API calls 52645->52649 52646 2de5b93 52646->52607 52651 2de586f GetSystemTime SystemTimeToFileTime 52646->52651 52648 2dea19e CompareFileTime 52648->52649 52649->52639 52649->52640 52649->52641 52649->52642 52649->52644 52649->52645 52649->52646 52649->52648 52650 2dea1c9 CompareFileTime 52649->52650 52652 2de34a3 47 API calls 2 library calls 52649->52652 52650->52649 52651->52607 52652->52649 52654 2de5532 __EH_prolog 52653->52654 52657 2de1c63 52654->52657 52656 2de555d ctype 52656->52563 52658 2de1c72 ctype 52657->52658 52659 2de1f0f 52658->52659 52662 2de1e63 WideCharToMultiByte 52658->52662 52663 2de1628 TlsSetValue TlsAlloc TlsAlloc 52658->52663 52664 2de1c48 TlsSetValue TlsAlloc TlsAlloc WideCharToMultiByte 52658->52664 52659->52656 52662->52658 52663->52658 52664->52658 52665->52570 52667 2de8b99 __EH_prolog 52666->52667 52669 2de8cf6 ctype 52667->52669 52670 2de1628 TlsSetValue TlsAlloc TlsAlloc 52667->52670 52669->52572 52670->52667 52672 2de5a9c __EH_prolog 52671->52672 52673 2de9e55 64 API calls 52672->52673 52674 2de5ad3 ctype 52673->52674 52674->52518 52676 2de667a __EH_prolog 52675->52676 52677 2de66bf SetEnvironmentVariableA 52676->52677 52678 2de668c 52676->52678 52680 2de66bd ctype 52677->52680 52679 2de520b 4 API calls 52678->52679 52681 2de669d SetEnvironmentVariableA 52679->52681 52682 2de520b 4 API calls 52680->52682 52681->52680 52683 2de66e9 SetEnvironmentVariableA 52682->52683 52684 2de670c ctype 52683->52684 52685 2de520b 4 API calls 52684->52685 52686 2de6723 SetEnvironmentVariableA 52685->52686 52687 2de6746 ctype 52686->52687 52688 2de677e SetEnvironmentVariableA 52687->52688 52689 2de674e 52687->52689 52691 2de677c ctype 52688->52691 52690 2de520b 4 API calls 52689->52690 52692 2de6759 SetEnvironmentVariableA 52690->52692 52693 2de67c9 SetEnvironmentVariableA 52691->52693 52694 2de6794 52691->52694 52692->52691 52695 2de67c7 ctype 52693->52695 52696 2de9399 3 API calls 52694->52696 52697 2de9399 3 API calls 52695->52697 52698 2de67a4 SetEnvironmentVariableA 52696->52698 52699 2de67ea SetEnvironmentVariableA 52697->52699 52698->52695 52733 2de53d2 52699->52733 52701 2de680d SetEnvironmentVariableA 52702 2de6852 SetEnvironmentVariableA 52701->52702 52703 2de6822 52701->52703 52705 2de6850 ctype 52702->52705 52704 2de520b 4 API calls 52703->52704 52706 2de682d SetEnvironmentVariableA 52704->52706 52707 2de520b 4 API calls 52705->52707 52706->52705 52708 2de686c SetEnvironmentVariableA 52707->52708 52709 2de688f ctype 52708->52709 52710 2de520b 4 API calls 52709->52710 52711 2de689f SetEnvironmentVariableA 52710->52711 52712 2de53d2 ctype 52711->52712 52713 2de68c2 SetEnvironmentVariableA 52712->52713 52714 2de520b 4 API calls 52713->52714 52715 2de6900 SetEnvironmentVariableA 52714->52715 52716 2de6923 ctype 52715->52716 52717 2de6929 52716->52717 52718 2de6974 SetEnvironmentVariableA 52716->52718 52719 2de520b 4 API calls 52717->52719 52725 2de6972 ctype 52718->52725 52720 2de694f SetEnvironmentVariableA 52719->52720 52720->52725 52721 2de6987 52723 2de520b 4 API calls 52721->52723 52722 2de69d2 SetEnvironmentVariableA 52724 2de69d0 ctype 52722->52724 52726 2de69ad SetEnvironmentVariableA 52723->52726 52727 2de6a1b SetEnvironmentVariableA 52724->52727 52728 2de69eb 52724->52728 52725->52721 52725->52722 52726->52724 52730 2de6a28 SetEnvironmentVariableA 52727->52730 52729 2de520b 4 API calls 52728->52729 52731 2de69f6 SetEnvironmentVariableA 52729->52731 52730->52526 52732 2de6a19 ctype 52731->52732 52732->52730 52734 2de53db ctype 52733->52734 52734->52701 52736 2de7ff6 CreateFileA 52735->52736 52737 2de801a 52736->52737 52738 2de8050 GetFileSize 52736->52738 52739 2de520b 4 API calls 52737->52739 52791 2de850b 52738->52791 52742 2de802f MessageBoxA 52739->52742 52741 2de806d ReadFile CloseHandle 52741->52421 52743 2de53d2 ctype 52742->52743 52744 2de8049 ExitProcess 52743->52744 52793 2de1b83 52745->52793 52749 2de52d5 52749->52428 52750 2de5270 ctype 52750->52749 52798 2de1628 TlsSetValue TlsAlloc TlsAlloc 52750->52798 52753 2de1b63 52752->52753 52754 2de1b79 52753->52754 52800 2de1628 TlsSetValue TlsAlloc TlsAlloc 52753->52800 52754->52431 52757 2de1be3 52756->52757 52759 2de1c25 52757->52759 52801 2de1628 TlsSetValue TlsAlloc TlsAlloc 52757->52801 52759->52435 52761 2dea347 __EH_prolog 52760->52761 52762 2dea381 52761->52762 52812 2dea2ab 96 API calls 2 library calls 52761->52812 52767 2dea3a2 52762->52767 52813 2de97df 6 API calls 2 library calls 52762->52813 52766 2dea3f6 GetVolumeInformationA 52769 2dea421 52766->52769 52771 2dea3dd ctype 52767->52771 52802 2de98ea 52767->52802 52768 2dea3c7 52768->52771 52814 2de52de TlsSetValue TlsAlloc TlsAlloc 52768->52814 52770 2dea43c GetComputerNameA 52769->52770 52775 2dea464 ctype 52769->52775 52772 2dea454 52770->52772 52770->52775 52771->52766 52771->52769 52815 2de52de TlsSetValue TlsAlloc TlsAlloc 52772->52815 52775->52444 52777 2dea4d5 __EH_prolog 52776->52777 52778 2dea500 52777->52778 52783 2dea521 ctype 52777->52783 52827 2de9564 6 API calls ctype 52778->52827 52780 2dea509 52780->52783 52830 2de52de TlsSetValue TlsAlloc TlsAlloc 52780->52830 52781 2dea6c5 ctype 52781->52446 52783->52781 52784 2de98ea 6 API calls 52783->52784 52785 2dea5e0 GetVolumeInformationA 52783->52785 52786 2dea625 GetComputerNameA 52783->52786 52828 2dea2ab 96 API calls 2 library calls 52783->52828 52829 2de52de TlsSetValue TlsAlloc TlsAlloc 52783->52829 52784->52783 52785->52783 52786->52780 52786->52783 52790->52418 52792 2de8512 52791->52792 52792->52741 52794 2de1b96 52793->52794 52796 2de1bbd 52794->52796 52799 2de1628 TlsSetValue TlsAlloc TlsAlloc 52794->52799 52796->52750 52797 2de1628 TlsSetValue TlsAlloc TlsAlloc 52796->52797 52797->52750 52798->52750 52799->52796 52800->52754 52801->52759 52803 2de98f4 __EH_prolog 52802->52803 52816 2de999d RegOpenKeyA 52803->52816 52806 2de999d 6 API calls 52807 2de993a 52806->52807 52808 2de9969 ctype 52807->52808 52809 2de999d 6 API calls 52807->52809 52808->52768 52810 2de9952 52809->52810 52810->52808 52811 2de999d 6 API calls 52810->52811 52811->52808 52812->52762 52813->52767 52814->52771 52815->52775 52817 2de9923 52816->52817 52818 2de99c0 RegQueryValueExA 52816->52818 52817->52806 52817->52808 52819 2de99ea 52818->52819 52820 2de9a72 RegCloseKey 52818->52820 52821 2de99ef RegQueryValueExA 52819->52821 52822 2de9a2c 52819->52822 52820->52817 52821->52820 52825 2de9a0c ctype 52821->52825 52823 2de9a34 RegQueryValueExA 52822->52823 52824 2de9a6c ctype 52823->52824 52823->52825 52824->52820 52826 2de9a5e RegCloseKey 52825->52826 52826->52817 52827->52780 52828->52783 52829->52783 52830->52780 52831->51842 52832->51839 52833 2be8940 52834 2be894a 52833->52834 52836 2be8973 52834->52836 52845 2be2de0 TlsAlloc TlsAlloc TlsSetValue WideCharToMultiByte 52834->52845 52837 2be4510 72 API calls 52836->52837 52838 2be898e GetModuleHandleA 52837->52838 52840 2be89a6 52838->52840 52846 2be4940 GetModuleHandleA GetModuleFileNameA RtlInitializeCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 52840->52846 52842 2be89bd 52847 2c13730 29 API calls 52842->52847 52844 2be8a07 52845->52836 52846->52842 52847->52844 52848 2c14e3e 52849 2bee270 71 API calls 52848->52849 52850 2c14e50 52849->52850 52862 2c04050 52850->52862 52852 2c14ec8 52854 2c14ee4 52852->52854 52867 2c15480 15 API calls 52852->52867 52861 2c14f5d 52854->52861 52868 2bf24a0 15 API calls 52854->52868 52855 2c15436 FindFirstFileA 52856 2c1544a FindClose 52855->52856 52858 2c15013 52855->52858 52856->52858 52859 2c14f41 52859->52861 52869 2c15480 15 API calls 52859->52869 52861->52855 52861->52858 52863 2c04099 52862->52863 52865 2c04063 52862->52865 52863->52852 52866 2c04090 52865->52866 52870 2c15480 15 API calls 52865->52870 52866->52852 52867->52854 52868->52859 52869->52861 52870->52865

                                                        Executed Functions

                                                        Function 02C24FB0 Relevance: 77.6, APIs: 6, Strings: 38, Instructions: 608fileregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 194 2c24fb0-2c24fdb 195 2c24fe6-2c24ff8 194->195 196 2c24fdd-2c24fe0 194->196 198 2c250a0-2c250a5 195->198 199 2c24ffe-2c2507b call 2be2b50 call 2be28e0 call 2bfe840 call 2be2bd0 195->199 196->195 200 2c251c3-2c251c6 198->200 201 2c250ab-2c250e7 GetCurrentProcessId call 2be28e0 OpenFileMappingA call 2be2bd0 198->201 234 2c25091-2c2509b call 2c24f20 199->234 235 2c2507d-2c2508c call 2c23df0 call 2c1c420 call 2c006e0 199->235 202 2c251cc-2c25596 call 2c23df0 call 2c3c550 RegOpenKeyExA 200->202 203 2c257bd-2c257d2 200->203 217 2c251a2-2c251be call 2c24f20 call 2c23b50 201->217 218 2c250ed-2c2519d MapViewOfFile call 2c0e350 call 2c0dab0 call 2be2940 * 3 UnmapViewOfFile CloseHandle call 2c267e0 call 2be2bd0 * 3 call 2c0e2b0 201->218 291 2c25598 202->291 292 2c2559e-2c255b6 call 2bedc40 202->292 217->203 218->217 234->203 235->234 291->292 295 2c25652 292->295 296 2c255bc-2c255f1 call 2bedc40 call 2be1040 292->296 297 2c25654-2c25679 call 2bedc40 295->297 307 2c255f3-2c25604 296->307 308 2c25607-2c25621 call 2be1050 296->308 304 2c25715 297->304 305 2c2567f-2c256b4 call 2bedc40 call 2be1040 297->305 309 2c25717-2c25774 call 2be28e0 call 2bfe840 call 2be2bd0 304->309 320 2c256b6-2c256c7 305->320 321 2c256ca-2c256e4 call 2be1050 305->321 307->308 317 2c25623-2c25629 call 2bedc70 308->317 318 2c2562c-2c25650 call 2bedc40 308->318 336 2c25776-2c25790 call 2c1c420 call 2c24030 call 2c1a0e0 309->336 337 2c2579d-2c257b8 call 2c24f20 call 2c3a770 call 2c3d400 309->337 317->318 318->297 320->321 331 2c256e6-2c256ec call 2bedc70 321->331 332 2c256ef-2c25713 call 2bedc40 321->332 331->332 332->309 352 2c25792 call 2c1c3a0 336->352 353 2c25797-2c25798 call 2c006e0 336->353 337->203 352->353 353->337
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 02C250B7
                                                        • OpenFileMappingA.KERNEL32(00000004,00000000,?), ref: 02C250D5
                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 02C250F3
                                                        • UnmapViewOfFile.KERNEL32(00000000,?,?,?,00000000,00001000,00000000,00000000), ref: 02C2514D
                                                        • CloseHandle.KERNEL32(00000000), ref: 02C25154
                                                        • RegOpenKeyExA.KERNELBASE(80000000,CLSID,00000000,00000008,02C672EC), ref: 02C2558E
                                                          • Part of subcall function 02C1C420: VirtualAlloc.KERNEL32(00000000,00001001,00001000,00000004), ref: 02C1C50C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$OpenView$AllocCloseCurrentHandleMappingProcessUnmapVirtual
                                                        • String ID: %s.th_registry$CLSID$GetEnvironmentVariableA$GetEnvironmentVariableW$RegCloseKey$RegCreateKeyA$RegCreateKeyExA$RegCreateKeyExW$RegCreateKeyW$RegDeleteKeyA$RegDeleteKeyW$RegDeleteValueA$RegDeleteValueW$RegEnumKeyA$RegEnumKeyExA$RegEnumKeyExW$RegEnumKeyW$RegEnumValueA$RegEnumValueW$RegOpenCurrentUser$RegOpenKeyA$RegOpenKeyExA$RegOpenKeyExW$RegOpenKeyW$RegOpenUserClassesRoot$RegQueryInfoKeyA$RegQueryInfoKeyW$RegQueryValueA$RegQueryValueExA$RegQueryValueExW$RegQueryValueW$RegSetValueA$RegSetValueExA$RegSetValueExW$RegSetValueW$advapi32.dll$kernel32.dll$vregrec-%d
                                                        • API String ID: 3792713908-270347187
                                                        • Opcode ID: c9b16a97e22fec2bc409c645c4f22353c3e7960b3995d839e217eb9bc08392e9
                                                        • Instruction ID: 76b1962b8891ef2c1d0df1d03fec14503745e5b4ff6345239d147e042fa9cebc
                                                        • Opcode Fuzzy Hash: c9b16a97e22fec2bc409c645c4f22353c3e7960b3995d839e217eb9bc08392e9
                                                        • Instruction Fuzzy Hash: 8E328370A80315AFF704DFA4CC89E6A7769FF49754B104B68F5279B2D0CBB0A944CBA1
                                                        Function 02C040E0 Relevance: 45.1, APIs: 12, Strings: 13, Instructions: 1391fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(02C661AC), ref: 02C04104
                                                        • SetEnvironmentVariableA.KERNEL32(Cor_Enable_Profiling,00000000,00000000,02C503A4,00000000,02C503A4,00000000,02C503A4,00000000,02C503A4,00000000,02C503A4,00000000,02C503A4,?,00000000), ref: 02C049ED
                                                        • SetEnvironmentVariableA.KERNEL32(COR_PROFILER,00000000,?,00000000,02C66384,?,00000000,02C66364,?,00000000,02C66350), ref: 02C049F6
                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000109,02C661E4,02C503A4,00000000,02C503A4,?,00000000,02C66384,?,00000000,02C66364,?,00000000,02C66350), ref: 02C04A58
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000000,02C66384,?,00000000,02C66364,?,00000000,02C66350), ref: 02C04A5F
                                                        • OpenFileMappingA.KERNEL32(000F001F,00000000,02C4C898), ref: 02C04B06
                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,00000000,02C66384,?,00000000,02C66364,?,00000000,02C66350), ref: 02C04B1B
                                                        • CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,02C66384,?,00000000,02C66364), ref: 02C04B58
                                                        • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000004,02C4C898), ref: 02C04B6B
                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,00000000,02C66384,?,00000000,02C66364,?,00000000,02C66350), ref: 02C04B7E
                                                        • SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,02C66384,?,00000000,02C66364), ref: 02C04BD9
                                                        • SetEnvironmentVariableA.KERNEL32(TS_VERSION,2.730,00000000,00000000,?,?,?,000000FF), ref: 02C051AE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$EnvironmentVariable$HandleMappingModuleView$AttributesCloseCreateNameOpen
                                                        • String ID: %s.%d$%s.%s$%s.th_raw$%s.thzip$&$2.730$C:\jc\VOS2\thinstall\os\ts_hook.cpp$COR_PROFILER$Cor_Enable_Profiling$TS_VERSION$Too many files in %s$bad sig in file %st_files=%d, dir_start=%d, sig=%x, file_size=%d$load_directory() : File %s does not exist
                                                        • API String ID: 1025293273-1934773841
                                                        • Opcode ID: 61a69f68a3023ef0a3a71eb6578ead48819fd1ca685e41825c10db0add4e3e79
                                                        • Instruction ID: 519ecf0aa408a286daef2a6c5cb78665d35a67dc5efecc6fa8ac2d548ce849fb
                                                        • Opcode Fuzzy Hash: 61a69f68a3023ef0a3a71eb6578ead48819fd1ca685e41825c10db0add4e3e79
                                                        • Instruction Fuzzy Hash: 07B2E170D40204AFCB14EFA5D894BBEBBBEEF54304F14496CE916A7281DB74AA44CF61
                                                        Function 02BE3810 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 253COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1233 2be3810-2be3840 1234 2be3842-2be384d InterlockedIncrement 1233->1234 1235 2be3853-2be3862 1233->1235 1234->1235 1236 2be388e-2be3895 1235->1236 1237 2be3864-2be3867 1235->1237 1238 2be38b8-2be38bb 1236->1238 1239 2be3897-2be38a4 1236->1239 1240 2be386d-2be387a 1237->1240 1241 2be3991-2be3996 1237->1241 1244 2be38bd-2be38c2 1238->1244 1245 2be3938-2be3946 1238->1245 1242 2be38aa-2be38b3 1239->1242 1243 2be3959-2be3966 1239->1243 1240->1243 1248 2be3880-2be3889 1240->1248 1246 2be3998 1241->1246 1247 2be39b3-2be39bf 1241->1247 1249 2be3951-2be3956 call 2bf3010 1242->1249 1254 2be3968-2be3976 call 2bf3010 1243->1254 1255 2be3979-2be398e 1243->1255 1244->1245 1253 2be38c4-2be38c6 1244->1253 1245->1243 1250 2be3948-2be394c 1245->1250 1256 2be399b-2be399d 1246->1256 1251 2be39c5-2be39d1 1247->1251 1252 2be3af3-2be3b06 1247->1252 1248->1249 1249->1243 1250->1249 1251->1252 1258 2be39d7-2be39dc 1251->1258 1259 2be38ea-2be38ed 1253->1259 1260 2be38c8-2be38cd 1253->1260 1254->1255 1256->1247 1262 2be399f-2be39a3 1256->1262 1258->1252 1264 2be39e2-2be39f9 1258->1264 1266 2be38ef-2be38f1 1259->1266 1267 2be390d-2be3910 1259->1267 1260->1259 1265 2be38cf-2be38dd 1260->1265 1262->1247 1269 2be39a5-2be39b1 1262->1269 1270 2be39fb-2be3a02 1264->1270 1271 2be3a04-2be3a06 1264->1271 1265->1243 1272 2be38df-2be38e8 1265->1272 1266->1267 1273 2be38f3-2be3900 1266->1273 1274 2be3917-2be391c 1267->1274 1275 2be3912-2be3915 1267->1275 1269->1256 1277 2be3a0e 1270->1277 1278 2be3a08 1271->1278 1279 2be3a11-2be3a1e 1271->1279 1272->1249 1273->1243 1280 2be3902-2be390b 1273->1280 1274->1241 1281 2be391e-2be392b 1274->1281 1275->1241 1275->1274 1277->1279 1278->1277 1283 2be3a45-2be3a6e call 2c0f5c0 call 2be35f0 1279->1283 1284 2be3a20-2be3a23 1279->1284 1280->1249 1281->1243 1282 2be392d-2be3936 1281->1282 1282->1249 1293 2be3a73-2be3a90 call 2c0f5e0 1283->1293 1286 2be3a2e 1284->1286 1287 2be3a25-2be3a2c 1284->1287 1289 2be3a33-2be3a42 call 2bf3010 1286->1289 1287->1289 1289->1283 1296 2be3ab7-2be3ac5 1293->1296 1297 2be3a92-2be3a95 1293->1297 1300 2be3ae7-2be3aee call 2c0f600 1296->1300 1301 2be3ac7-2be3aca 1296->1301 1298 2be3a97-2be3a9e 1297->1298 1299 2be3aa0 1297->1299 1304 2be3aa5-2be3ab4 call 2bf3010 1298->1304 1299->1304 1300->1252 1301->1300 1302 2be3acc-2be3ace 1301->1302 1302->1300 1305 2be3ad0-2be3ae4 call 2bf3010 1302->1305 1304->1296 1305->1300
                                                        APIs
                                                        • InterlockedIncrement.KERNEL32(02C66248), ref: 02BE3847
                                                        Strings
                                                        • Skipping DllMain(%x) for %s, system loaded, xrefs: 02BE3884
                                                        • Skipping DllMain(%x) for %s, DisableThreadLibraryCalls used, xrefs: 02BE3931
                                                        • unknown reason?, xrefs: 02BE3A2E, 02BE3A37, 02BE3AA0, 02BE3AA9
                                                        • Skipping DllMain(%x) for %s, system loaded or loader flags restrict, xrefs: 02BE38AE
                                                        • DLL_PROCESS_ATTACH, xrefs: 02BE3AD9
                                                        • Skipping DllMain(%x) for %s, attach not called yet, xrefs: 02BE3906
                                                        • DllMain(%s) for %s -> %d (*** failed), xrefs: 02BE3ADA
                                                        • Finished: DllMain(%s) for %s -> %d, xrefs: 02BE3AAA
                                                        • Calling DllMain(%s) for %s (%x), xrefs: 02BE3A38
                                                        • Skipping DllMain(%x) for %s, not ready for init yet, xrefs: 02BE396C
                                                        • Skipping DllMain(%x) for %s, free pending, xrefs: 02BE38E3
                                                        • Skipping DllMain(%x) for %s, not ready for init, xrefs: 02BE394C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: IncrementInterlocked
                                                        • String ID: Calling DllMain(%s) for %s (%x)$ Finished: DllMain(%s) for %s -> %d$ Skipping DllMain(%x) for %s, DisableThreadLibraryCalls used$ Skipping DllMain(%x) for %s, attach not called yet$ Skipping DllMain(%x) for %s, free pending$ Skipping DllMain(%x) for %s, not ready for init$ Skipping DllMain(%x) for %s, not ready for init yet$ Skipping DllMain(%x) for %s, system loaded$ Skipping DllMain(%x) for %s, system loaded or loader flags restrict$DLL_PROCESS_ATTACH$DllMain(%s) for %s -> %d (*** failed)$unknown reason?
                                                        • API String ID: 3508698243-123460540
                                                        • Opcode ID: d12ede7e29339c6b1c9d88ace3d481cb12a83484e0245917ef55f277d2a570a9
                                                        • Instruction ID: 9a62fc0a85d0092da0176f7aa0ffa594808eb110171870ae5bd2d9bcc6ba3db0
                                                        • Opcode Fuzzy Hash: d12ede7e29339c6b1c9d88ace3d481cb12a83484e0245917ef55f277d2a570a9
                                                        • Instruction Fuzzy Hash: B491BA74A00200AFEB24CE49C895FBA77EAEB85314F0006D9EE9757341C776E8C0CBA1
                                                        Function 02C14230 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 590fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(?), ref: 02C1447A
                                                        • FindFirstFileA.KERNELBASE(?,?), ref: 02C14491
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesFindFirst
                                                        • String ID: %s\%s
                                                        • API String ID: 4185537391-4073750446
                                                        • Opcode ID: 33426170a5b602590cdf64bd82b522dc44b1e2d89beab98a799e87fb31b9d8dc
                                                        • Instruction ID: 61c65542c90f57b3b94db595f4c51354f4df1e46e21029e2cc5b7ea1449ec53b
                                                        • Opcode Fuzzy Hash: 33426170a5b602590cdf64bd82b522dc44b1e2d89beab98a799e87fb31b9d8dc
                                                        • Instruction Fuzzy Hash: 70328E715083819FD728DF64C481AAFB7E9BFCA304F544A5DE88A97240D770EA09DF92
                                                        Function 02C14E3E Relevance: 3.2, APIs: 2, Instructions: 173COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8740fdb5914cce086de042e6d138f47f0697c58ea3044207c76a02ac3c100e3c
                                                        • Instruction ID: cde3220dab92e2775e490e96c799eaa02fa3331c5dcb44e57f1428d260c78e89
                                                        • Opcode Fuzzy Hash: 8740fdb5914cce086de042e6d138f47f0697c58ea3044207c76a02ac3c100e3c
                                                        • Instruction Fuzzy Hash: A661B0B15043428FCB24DF20D881AABB3E9AFC5714F444D5DE89AA7240D771EA49DF92
                                                        Function 02DEC88E Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersion.KERNEL32(02DEC9A7,?,?,?), ref: 02DEC89B
                                                          • Part of subcall function 02DEDA6F: HeapCreate.KERNELBASE(00000000,00001000,00000000,02DEC8AD,00000001), ref: 02DEDA80
                                                          • Part of subcall function 02DEDA6F: HeapDestroy.KERNEL32 ref: 02DEDABF
                                                          • Part of subcall function 02DED69C: TlsAlloc.KERNEL32(?,02DEC8E5), ref: 02DED6A2
                                                          • Part of subcall function 02DED69C: TlsSetValue.KERNEL32(00000000), ref: 02DED6CA
                                                          • Part of subcall function 02DED69C: GetCurrentThreadId.KERNEL32 ref: 02DED6DB
                                                        • GetCommandLineA.KERNEL32 ref: 02DEC8F2
                                                          • Part of subcall function 02DEDACC: VirtualFree.KERNEL32(?,00100000,00004000,?,?,?,?,02DEC953,02DEC9A7,?,?,?), ref: 02DEDB04
                                                          • Part of subcall function 02DEDACC: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,02DEC953,02DEC9A7,?,?,?), ref: 02DEDB0F
                                                          • Part of subcall function 02DEDACC: HeapFree.KERNEL32(00000000,?,?,?,?,?,02DEC953,02DEC9A7,?,?,?), ref: 02DEDB1C
                                                          • Part of subcall function 02DEDACC: HeapFree.KERNEL32(00000000,?,?,?,?,02DEC953,02DEC9A7,?,?,?), ref: 02DEDB38
                                                          • Part of subcall function 02DEDACC: HeapDestroy.KERNEL32(?,?,02DEC953,02DEC9A7,?,?,?), ref: 02DEDB6B
                                                          • Part of subcall function 02DED788: TlsGetValue.KERNEL32(00000008,?,02DEC960,00000000,02DEC9A7,?,?,?), ref: 02DED7A0
                                                          • Part of subcall function 02DED788: TlsSetValue.KERNEL32(00000000,?,02DEC960,00000000,02DEC9A7,?,?,?), ref: 02DED820
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Heap$Free$Value$DestroyVirtual$AllocCommandCreateCurrentLineThreadVersion
                                                        • String ID:
                                                        • API String ID: 1348591257-0
                                                        • Opcode ID: f7f948465c6af5751c1e1024efa8a9304251852a88dbf4ca49f00c4d4f583219
                                                        • Instruction ID: 1f011228564626048690349c6efe31dd5ebe48bbf2fabb4eedabd8d779f1df95
                                                        • Opcode Fuzzy Hash: f7f948465c6af5751c1e1024efa8a9304251852a88dbf4ca49f00c4d4f583219
                                                        • Instruction Fuzzy Hash: AA116070DB42098ADF98FB70A84132837A6EB11702F54482FE613C2381EB31CC70EE29
                                                        Function 02DE6BC9 Relevance: 147.8, APIs: 48, Strings: 36, Instructions: 798timeregistrythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 2de6bc9-2de6bfe call 2deb4c0 call 2de5fe2 GetModuleHandleA 5 2de6c0b-2de6c0f 0->5 6 2de6c00-2de6c04 0->6 8 2de6c15-2de6c21 5->8 9 2de7699-2de76a4 call 2de5a3b 5->9 7 2de6c06 6->7 6->8 11 2de766c-2de7672 call 2de5cee 7->11 12 2de6c2f-2de6d17 call 2dec560 GetModuleHandleA LoadCursorA GetSysColor CreateSolidBrush GetCurrentThreadId GetCurrentProcess call 2de520b RegisterClassA call 2de56b4 CreateWindowExA #17 CreateFontA call 2de53d2 8->12 13 2de6c23-2de6c29 8->13 15 2de76a9-2de76b0 9->15 18 2de7677-2de7693 GetSystemTime SystemTimeToFileTime 11->18 16 2de6d1c 12->16 13->12 13->16 20 2de76b9-2de76c8 15->20 21 2de76b2 15->21 19 2de6d22-2de6d28 16->19 18->9 23 2de6d2a-2de6d30 19->23 24 2de6d36-2de6d3d 19->24 21->20 23->24 26 2de7645-2de7648 23->26 24->26 27 2de6d43-2de6d73 call 2de56b4 * 2 24->27 30 2de764a-2de765d DestroyWindow UnregisterClassA 26->30 31 2de7663-2de766a 26->31 38 2de6d7d-2de6dc2 call 2de520b call 2de5359 call 2de53d2 27->38 39 2de6d75-2de6d7b 27->39 30->31 31->9 31->11 40 2de6dc6-2de6dc8 38->40 39->38 39->40 42 2de6dca-2de6e08 CreateWindowExA SendMessageA call 2de8938 40->42 43 2de6e09-2de6e18 40->43 42->43 46 2de6e1e-2de6e40 43->46 47 2de6fc5-2de6fcb 43->47 51 2de6e42-2de6e7e call 2de568a call 2de5bfa call 2de6b31 46->51 52 2de6e80-2de6eb8 call 2de568a call 2de5bfa call 2de6b31 46->52 53 2de70fa-2de7101 47->53 54 2de6fd1-2de705b call 2de568a call 2de5bfa call 2de6b31 call 2de53d2 call 2deac37 47->54 101 2de6ebc-2de6ee3 call 2de53d2 call 2deac37 51->101 52->101 57 2de7107-2de7193 call 2de568a call 2de5bfa call 2de6b31 call 2de53d2 call 2deac37 53->57 58 2de7360-2de7368 53->58 128 2de70e9-2de70f5 call 2dea6e0 54->128 129 2de7061-2de706e 54->129 132 2de7239-2de735b call 2de56b4 call 2de594f SendMessageA CreateWindowExA SendMessageA call 2de56b4 CreateWindowExA SendMessageA call 2de56b4 CreateWindowExA EnableWindow SendMessageA call 2dea6e0 57->132 133 2de7199-2de7237 call 2de9399 call 2de56b4 call 2de520b call 2de594f call 2de53d2 * 2 SendMessageA 57->133 64 2de736a-2de736c 58->64 65 2de7372-2de7379 58->65 64->65 71 2de747c-2de7484 64->71 72 2de737b-2de73ce CreateWindowExA SendMessageA * 2 65->72 73 2de73f0-2de73f6 65->73 78 2de748a-2de74ce call 2de56b4 CreateWindowExA SendMessageA 71->78 79 2de7486-2de7488 71->79 80 2de73d5-2de73e1 72->80 81 2de73d0-2de73d3 72->81 73->71 83 2de73fc-2de7403 73->83 89 2de74d0-2de74d7 78->89 79->78 79->89 87 2de73e3-2de73ee SendMessageA 80->87 81->87 83->78 84 2de7409-2de747a call 2de56b4 call 2de520b call 2de594f call 2de53d2 SendMessageA 83->84 84->71 87->73 97 2de751f-2de7525 89->97 98 2de74d9-2de751d call 2de56b4 CreateWindowExA SendMessageA 89->98 103 2de756d-2de7577 call 2de7b58 ShowWindow 97->103 104 2de7527-2de756b call 2de56b4 CreateWindowExA SendMessageA 97->104 98->97 135 2de6f0a-2de6f11 101->135 136 2de6ee5-2de6f05 101->136 123 2de757d-2de7588 103->123 104->103 130 2de758a-2de75be GetMessageA TranslateMessage DispatchMessageA 123->130 131 2de75e6-2de75e9 123->131 128->53 140 2de7075-2de70e7 call 2de56b4 call 2de520b call 2de594f call 2de53d2 SendMessageA 129->140 141 2de7070 129->141 130->123 142 2de75c0-2de75e4 GetWindowTextA EnableWindow 130->142 137 2de75eb-2de75ec ExitProcess 131->137 138 2de75f7-2de75fa 131->138 132->58 133->132 146 2de6f35-2de6f37 135->146 147 2de6f13-2de6f33 135->147 144 2de6f8b-2de6fc0 call 2de56b4 call 2de594f SendMessageA call 2dea6e0 136->144 137->138 149 2de760e-2de7616 138->149 150 2de75fc-2de7609 EnumChildWindows 138->150 140->128 141->140 142->123 144->47 158 2de6f5b-2de6f73 146->158 159 2de6f39-2de6f59 146->159 147->144 152 2de762f-2de7640 call 2de53d2 149->152 153 2de7618-2de7623 call 2de5fe2 149->153 150->149 152->19 153->152 174 2de7625 153->174 166 2de6f75-2de6f7f 158->166 167 2de6f81-2de6f86 158->167 159->144 166->144 167->144 174->152
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE6BCE
                                                          • Part of subcall function 02DE5FE2: __EH_prolog.LIBCMT ref: 02DE5FE7
                                                          • Part of subcall function 02DE5FE2: GetSystemTime.KERNEL32(?,?,02DFC7B0), ref: 02DE609E
                                                          • Part of subcall function 02DE5FE2: SystemTimeToFileTime.KERNEL32(?,02DFC7B8,?,02DFC7B0), ref: 02DE60AD
                                                        • GetModuleHandleA.KERNEL32(00000000,?,?,00000000), ref: 02DE6BEC
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 02DE6C48
                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 02DE6C57
                                                        • GetSysColor.USER32(0000000F), ref: 02DE6C66
                                                        • CreateSolidBrush.GDI32(00000000), ref: 02DE6C6D
                                                        • GetCurrentThreadId.KERNEL32 ref: 02DE6C7A
                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 02DE6C81
                                                        • RegisterClassA.USER32(?), ref: 02DE6CB1
                                                        • CreateWindowExA.USER32(00000200,?,00000000,00000000,80000000,80000000,00000230,000001A9,00000000,00000000,?,00000000), ref: 02DE6CE2
                                                        • #17.COMCTL32(?,?,?,?,?,?,00000000), ref: 02DE6CEA
                                                        • CreateFontA.GDI32(0000000F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000), ref: 02DE6D00
                                                        • CreateWindowExA.USER32(00000000,STATIC,?,50000001,00000014,00000014,00000200,00000015,00000000,00000000,?,00000000), ref: 02DE6DE4
                                                        • SendMessageA.USER32(00000000,00000030,00000000), ref: 02DE6DF8
                                                          • Part of subcall function 02DE5CEE: __EH_prolog.LIBCMT ref: 02DE5CF3
                                                        • GetSystemTime.KERNEL32(?), ref: 02DE767D
                                                        • SystemTimeToFileTime.KERNEL32(?,02DFC7B8), ref: 02DE768D
                                                          • Part of subcall function 02DE5A3B: __EH_prolog.LIBCMT ref: 02DE5A40
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Time$CreateH_prologSystem$CurrentFileHandleModuleWindow$BrushClassColorCursorFontLoadMessageProcessRegisterSendSolidThread
                                                        • String ID: %d%d$($BUTTON$EDIT$STATIC$bad_macid$bad_macid_url$demo_after.rtf$demo_before.rtf$demo_nokey.rtf$demo_register.rtf$enter_reg$enter_reg_url$expired_msg$expired_msg_url$macid_show$macid_show_url$msctls_progress32$no_key$no_key_url$register_button$register_later_button$runs_expire_msg$runs_expire_msg_url$thinstall_c$trial_next_button$trial_quit_button$trial_window_title$url_top_link$url_top_name$ver_max_hit$ver_max_hit_url$ver_min_hit$ver_min_hit_url$will_expire_msg$will_expire_msg_url
                                                        • API String ID: 2111319264-3957360236
                                                        • Opcode ID: 23b7e45534788e03899139bec9bac78cffcc4ac8442624722dc07a65d20a10ec
                                                        • Instruction ID: 6f40bd967e11d1299140e9806e17ef6c79cc850538cfd73115c576861ff7d8cd
                                                        • Opcode Fuzzy Hash: 23b7e45534788e03899139bec9bac78cffcc4ac8442624722dc07a65d20a10ec
                                                        • Instruction Fuzzy Hash: 525202B0984348BFFBA0BB60DC85F9BBBADEB54748F400809F28655391D7B19C54CB66
                                                        Function 02BF3110 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 221registryfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 904 2bf3110-2bf311d 905 2bf311f-2bf3120 UnmapViewOfFile 904->905 906 2bf3126-2bf3130 904->906 905->906 907 2bf337f-2bf338b 906->907 908 2bf3136-2bf3167 call 2be28e0 OpenFileMappingA call 2be2bd0 906->908 909 2bf338d-2bf33a3 call 2c06f60 907->909 910 2bf33a8-2bf33ae 907->910 917 2bf3169-2bf318b MapViewOfFile CloseHandle 908->917 918 2bf3191-2bf31c2 GetModuleHandleA GetModuleFileNameA 908->918 909->910 917->918 919 2bf31d4-2bf31f8 RegOpenKeyA 918->919 920 2bf31c4-2bf31c7 918->920 923 2bf31fe-2bf3221 RegQueryValueExA 919->923 924 2bf3289-2bf329c RegOpenKeyA 919->924 921 2bf31cc-2bf31d2 920->921 922 2bf31c9 920->922 921->919 921->920 922->921 925 2bf323c-2bf325b RegQueryValueExA 923->925 926 2bf3223-2bf3227 923->926 927 2bf329e-2bf32c1 RegQueryValueExA 924->927 928 2bf3315-2bf332e GetEnvironmentVariableA 924->928 932 2bf325d-2bf3261 925->932 933 2bf3272-2bf3283 RegCloseKey 925->933 926->925 931 2bf3229-2bf3234 926->931 929 2bf32d8 927->929 930 2bf32c3-2bf32c7 927->930 934 2bf336a-2bf3370 928->934 935 2bf3330-2bf3335 928->935 938 2bf32dd-2bf32f8 RegQueryValueExA 929->938 930->929 936 2bf32c9-2bf32d4 930->936 931->925 939 2bf3236-2bf323a 931->939 932->933 940 2bf3263-2bf3268 932->940 933->924 933->928 934->907 937 2bf3372-2bf337a 934->937 941 2bf3339-2bf3341 935->941 936->938 942 2bf32d6 936->942 937->907 943 2bf330a-2bf330f RegCloseKey 938->943 944 2bf32fa-2bf32fe 938->944 939->933 940->933 945 2bf326a 940->945 946 2bf3343-2bf3345 941->946 947 2bf3361-2bf3363 941->947 949 2bf3306 942->949 943->928 944->943 950 2bf3300-2bf3304 944->950 945->933 951 2bf335d-2bf335f 946->951 952 2bf3347-2bf3351 946->952 948 2bf3366-2bf3368 947->948 948->934 948->937 949->943 950->943 950->949 951->948 952->947 953 2bf3353-2bf335b 952->953 953->941 953->951
                                                        APIs
                                                        • UnmapViewOfFile.KERNEL32(02C66644), ref: 02BF3120
                                                        • OpenFileMappingA.KERNEL32(00000006,00000000,?), ref: 02BF3154
                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,75131C40,00000000), ref: 02BF3172
                                                        • CloseHandle.KERNEL32(00000000,?,75131C40,00000000), ref: 02BF318B
                                                        • GetModuleHandleA.KERNEL32 ref: 02BF31A7
                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02BF31AE
                                                        • RegOpenKeyA.ADVAPI32(80000001,Software\Thinstall_Diagnostics,00000000), ref: 02BF31E9
                                                        • RegQueryValueExA.ADVAPI32(?,trace_all,00000000,?,?,?), ref: 02BF321D
                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 02BF3257
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 02BF3277
                                                        • RegOpenKeyA.ADVAPI32(80000002,Software\Thinstall_Diagnostics,00000000), ref: 02BF3298
                                                        • RegQueryValueExA.ADVAPI32(?,trace_all,00000000,?,?,?), ref: 02BF32BD
                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 02BF32F4
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 02BF330F
                                                        • GetEnvironmentVariableA.KERNEL32(TS_TRACE,?,00000100), ref: 02BF3324
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileQueryValue$CloseOpen$HandleModuleView$EnvironmentMappingNameUnmapVariable
                                                        • String ID: 2.730$Software\Thinstall_Diagnostics$TS_TRACE$aplm_%s$trace_all
                                                        • API String ID: 227070316-944461889
                                                        • Opcode ID: 876b344d69e2152df2ef9daef092321946cb99aca53b57cd9f4de61bb5f02d0f
                                                        • Instruction ID: f668578c01d7f84da679ee4825e4d57e80fa4291faf6ce63fe7aabb1d01ba3be
                                                        • Opcode Fuzzy Hash: 876b344d69e2152df2ef9daef092321946cb99aca53b57cd9f4de61bb5f02d0f
                                                        • Instruction Fuzzy Hash: A071A070A44382AFE750CF25D884F6B7BE8EB89744F104A99FA8597180E774D58CCB92
                                                        Function 00201340 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 277COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 954 201340-201374 955 201692-2016af call 201a3a 954->955 956 20137a-20138b call 2019b0 954->956 961 201394-2013a2 call 2019b0 956->961 962 20138d-201392 956->962 968 2013a4-2013a9 961->968 969 2013ab-2013b9 call 2019b0 961->969 963 2013ee call 2012b0 962->963 967 2013f3-201401 call 201110 963->967 967->955 968->963 974 2013c2-2013d0 call 2019b0 969->974 975 2013bb-2013c0 969->975 978 2013d2-2013d7 974->978 979 2013d9-2013e7 call 2019b0 974->979 975->963 978->963 982 201406-201414 call 2019b0 979->982 983 2013e9 979->983 986 201543-201551 call 2019b0 982->986 987 20141a-20141d 982->987 983->963 993 201557-20155a 986->993 994 20166f-20167d call 2019b0 986->994 987->986 988 201423-201439 call 201780 987->988 995 20143b-20145e call 201890 call 201700 988->995 996 20148e-2014be call 201890 call 2012b0 988->996 993->994 998 201560-201579 call 201780 993->998 994->955 1005 20167f-201682 994->1005 995->996 1020 201460-20146c 995->1020 1017 2014c0-2014cc 996->1017 1018 2014e8-201500 996->1018 1010 20157b-20159e call 201890 call 201700 998->1010 1011 2015ce-2015fb call 201890 SetEnvironmentVariableA 998->1011 1005->955 1009 201684-20168c SetEnvironmentVariableA 1005->1009 1009->955 1010->1011 1043 2015a0-2015ac 1010->1043 1024 201625-20163d 1011->1024 1025 2015fd-201609 1011->1025 1022 2014de-2014e5 call 201a48 1017->1022 1023 2014ce-2014dc 1017->1023 1026 201530-20153e call 201110 1018->1026 1027 201502-20150e 1018->1027 1028 201484-20148b call 201a48 1020->1028 1029 20146e-20147c 1020->1029 1022->1018 1023->1022 1034 201520 _invalid_parameter_noinfo_noreturn 1023->1034 1024->955 1032 20163f-20164b 1024->1032 1036 20161b-201622 call 201a48 1025->1036 1037 20160b-201619 1025->1037 1026->955 1038 201510-20151e 1027->1038 1039 201526-20152d call 201a48 1027->1039 1028->996 1029->1028 1040 20147e _invalid_parameter_noinfo_noreturn 1029->1040 1044 201663-20166d call 201a48 1032->1044 1045 20164d-20165b 1032->1045 1034->1039 1036->1024 1037->1036 1048 20165d _invalid_parameter_noinfo_noreturn 1037->1048 1038->1034 1038->1039 1039->1026 1040->1028 1052 2015c4-2015cb call 201a48 1043->1052 1053 2015ae-2015bc 1043->1053 1044->955 1045->1044 1045->1048 1048->1044 1052->1011 1053->1052 1055 2015be _invalid_parameter_noinfo_noreturn 1053->1055 1055->1052
                                                        APIs
                                                        • _printf.MSPDB140-MSVCRT ref: 002013F9
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 0020147E
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00201520
                                                        • _printf.MSPDB140-MSVCRT ref: 00201536
                                                          • Part of subcall function 00201890: memcpy.VCRUNTIME140(?,?,?,?,?,?), ref: 0020197B
                                                          • Part of subcall function 00201890: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?), ref: 0020198A
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 002015BE
                                                        • SetEnvironmentVariableA.KERNEL32(?,?), ref: 002015EF
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020165D
                                                        • SetEnvironmentVariableA.KERNEL32(TS_CURRENT_KEY,?,85413565), ref: 0020168C
                                                          • Part of subcall function 00201780: memcpy.VCRUNTIME140(?,?,?,?,?,?), ref: 002017D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404252170.0000000000201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00200000, based on PE: true
                                                        • Associated: 00000001.00000002.1404227563.0000000000200000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404302566.0000000000204000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404321269.0000000000205000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404340131.0000000000207000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_200000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memcpy$EnvironmentVariable_printf
                                                        • String ID: (U $@U $TS_CURRENT_KEY$TS_EXPDATE$TS_EXPIRED$TS_KEYDATA_$TS_LICINFO$TS_MACID$T
                                                        • API String ID: 1886252973-2679575336
                                                        • Opcode ID: f0107b3f382479b043f5e8a319aa9414f20d44218078b1ba32391890ee5cde11
                                                        • Instruction ID: 68990ebc80f3a33b98782bbc0044635019594b73b5f0d3cfc2d71ea33083d00f
                                                        • Opcode Fuzzy Hash: f0107b3f382479b043f5e8a319aa9414f20d44218078b1ba32391890ee5cde11
                                                        • Instruction Fuzzy Hash: EF91F671A203049BCB18DF60DC956AEB77AEF45310F184218F802AB6D7DB359E75CB51
                                                        Function 02BE13C2 Relevance: 23.3, APIs: 2, Strings: 11, Instructions: 558memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1059 2be13c2-2be1407 call 2bebab0 1062 2be140d-2be1419 call 2bf88e0 1059->1062 1063 2be1860-2be18e9 1059->1063 1070 2be141b-2be141f call 2c02700 1062->1070 1071 2be1424-2be1495 call 2bf5c10 1062->1071 1065 2be18eb 1063->1065 1066 2be18f2-2be194d call 2be5910 1063->1066 1065->1066 1072 2be194f-2be196f call 2be27c0 1066->1072 1073 2be1972-2be19c2 call 2bf6f10 call 2bf7240 1066->1073 1070->1071 1081 2be149f-2be14a6 1071->1081 1072->1073 1090 2be19c4-2be19c8 call 2be6fb0 1073->1090 1091 2be19d0-2be1a07 call 2bf6470 call 2bf5840 1073->1091 1082 2be14a8-2be14b2 1081->1082 1083 2be14b4-2be14c3 1081->1083 1085 2be14c9-2be14d5 1082->1085 1083->1085 1088 2be14d7-2be1509 call 2be31c0 1085->1088 1089 2be1542-2be1550 call 2bf6410 1085->1089 1102 2be152e-2be1537 1088->1102 1103 2be150b-2be152c call 2bf7460 call 2bf74d0 1088->1103 1098 2be1555-2be1581 call 2bfc920 1089->1098 1099 2be19cd 1090->1099 1110 2be1a1c-2be1a3d call 2bf6470 * 2 1091->1110 1111 2be1a09-2be1a19 call 2bf5840 1091->1111 1108 2be1588-2be1594 call 2bf6f10 1098->1108 1109 2be1583 call 2be1050 1098->1109 1099->1091 1107 2be153d 1102->1107 1103->1107 1107->1081 1122 2be176d-2be17c4 call 2bf6470 * 6 call 2bf8550 1108->1122 1123 2be159a-2be15c1 1108->1123 1109->1108 1129 2be1a3f-2be1a4d 1110->1129 1130 2be1a56-2be1a5d 1110->1130 1111->1110 1191 2be17c6-2be17cf call 2bf59e0 1122->1191 1192 2be17d2-2be17e2 1122->1192 1134 2be15d2-2be15dd 1123->1134 1129->1130 1131 2be1a6f-2be1a7b call 2bfc920 1130->1131 1132 2be1a5f-2be1a66 1130->1132 1145 2be1bf9-2be1c15 1131->1145 1146 2be1a81-2be1a9c 1131->1146 1132->1131 1137 2be15df-2be15eb 1134->1137 1138 2be1609-2be1768 call 2be28e0 call 2bfb930 call 2bfbb30 call 2be2bd0 call 2be28e0 call 2bfb930 call 2bfbb30 call 2be2bd0 1134->1138 1142 2be15ed-2be15f9 1137->1142 1143 2be15fb-2be1601 1137->1143 1138->1122 1142->1143 1148 2be1607 1142->1148 1143->1148 1150 2be1c5e-2be1c6a call 2be4720 1145->1150 1151 2be1c17-2be1c5b call 2be4940 call 2bf3010 1145->1151 1153 2be1a9e-2be1ab8 VirtualProtect 1146->1153 1154 2be1adc-2be1ae8 1146->1154 1148->1134 1171 2be1c6c call 2be10d0 1150->1171 1172 2be1c71-2be1cb0 call 2be4720 1150->1172 1151->1150 1158 2be1aba-2be1acc VirtualProtect 1153->1158 1159 2be1ad2-2be1ad5 1153->1159 1161 2be1afe-2be1b17 call 2be1370 1154->1161 1162 2be1aea-2be1afb call 2bf3010 1154->1162 1158->1159 1159->1154 1161->1145 1162->1161 1171->1172 1189 2be1cec-2be1d0e 1172->1189 1190 2be1cb2-2be1ce9 call 2be4940 call 2bf3010 1172->1190 1196 2be1d1f-2be1d2b 1189->1196 1190->1189 1191->1192 1197 2be17f3-2be17ff 1192->1197 1201 2be1d2d-2be1d3f call 2be2bd0 1196->1201 1202 2be1d52-2be1d96 call 2bedc70 1196->1202 1203 2be1803-2be185b call 2bedc70 call 2bf7740 1197->1203 1204 2be1801 1197->1204 1219 2be1d50 1201->1219 1220 2be1d41-2be1d4d call 2bedc70 1201->1220 1217 2be1d98-2be1da0 call 2be7740 1202->1217 1218 2be1da7-2be1e77 call 2bf7740 1202->1218 1203->1063 1204->1197 1217->1218 1219->1196 1220->1219
                                                        APIs
                                                          • Part of subcall function 02BFB930: MultiByteToWideChar.KERNEL32(02C66704,00000000,?,000000FF,00000000,00000000,000000FF), ref: 02BFB9A3
                                                        • VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 02BE1AB0
                                                        • VirtualProtect.KERNEL32(?,00000004,00000004,?), ref: 02BE1ACC
                                                          • Part of subcall function 02BF59E0: LoadLibraryA.KERNEL32(?), ref: 02BF5AF1
                                                        Strings
                                                        • .exe, xrefs: 02BE18F2
                                                        • Application Launched, xrefs: 02BE1A41
                                                        • APISPY: Finished DLL_PROCESS_ATTACH (hinst=%08x/%s) -> %d, xrefs: 02BE1CDF
                                                        • APISPY: Calling EXE Entry Point %x, xrefs: 02BE1AF1
                                                        • .dll, xrefs: 02BE18B1
                                                        • mscoree.dll, xrefs: 02BE1C5E
                                                        • failed to load %s, xrefs: 02BE1956
                                                        • C:\jc\VOS2\thinstall\os\ts_stub.cpp, xrefs: 02BE1960
                                                        • Launching %s, xrefs: 02BE1613
                                                        • Loading %s, xrefs: 02BE16C5
                                                        • APISPY: Calling DLL_PROCESS_ATTACH entry=%08x (hinst=%08x/%s, reason=%x, reserved=%x), xrefs: 02BE1C51
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual$ByteCharLibraryLoadMultiWide
                                                        • String ID: .dll$.exe$APISPY: Calling DLL_PROCESS_ATTACH entry=%08x (hinst=%08x/%s, reason=%x, reserved=%x)$APISPY: Calling EXE Entry Point %x$APISPY: Finished DLL_PROCESS_ATTACH (hinst=%08x/%s) -> %d$Application Launched$C:\jc\VOS2\thinstall\os\ts_stub.cpp$Launching %s$Loading %s$failed to load %s$mscoree.dll
                                                        • API String ID: 302683649-3145941598
                                                        • Opcode ID: 4599d5114b5cd448abc97668650ae63f4556e7170739150b08bb0b20d21db87e
                                                        • Instruction ID: e3806cf242c755fe37194716dd645c20136c21d6a04d4ffba45723e6df9783f5
                                                        • Opcode Fuzzy Hash: 4599d5114b5cd448abc97668650ae63f4556e7170739150b08bb0b20d21db87e
                                                        • Instruction Fuzzy Hash: D14239B4D002189FDB24DF54DC94BAEBBB9BF44308F2486D8D50AAB281D775AE84CF51
                                                        Function 02DE9A81 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 287timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1310 2de9a81-2de9ab9 call 2deb4c0 GetSystemTime SystemTimeToFileTime 1313 2de9abc-2de9b10 call 2de9de4 call 2dead40 * 3 1310->1313 1323 2de9b16-2de9b19 1313->1323 1324 2de9b12-2de9b14 1313->1324 1325 2de9b1b-2de9b32 call 2de50a5 1323->1325 1324->1325 1328 2de9b35-2de9b3d 1325->1328 1329 2de9b3f-2de9b46 1328->1329 1330 2de9b61-2de9b82 call 2deba40 1328->1330 1329->1330 1331 2de9b48-2de9b5f 1329->1331 1334 2de9b88-2de9b8b 1330->1334 1335 2de9b84-2de9b86 1330->1335 1331->1328 1336 2de9b8d-2de9c34 call 2de34fd call 2de520b call 2de518f call 2de53d2 call 2de520b call 2de518f call 2de53d2 call 2de5124 * 2 1334->1336 1335->1336 1355 2de9c3a-2de9c3b 1336->1355 1356 2de9d54-2de9d77 call 2de520b call 2de9e09 1336->1356 1357 2de9d20-2de9d43 call 2de520b call 2de9e09 1355->1357 1358 2de9c41-2de9c42 1355->1358 1368 2de9d7c-2de9d83 1356->1368 1375 2de9d48-2de9d52 1357->1375 1361 2de9d0f-2de9d1e WriteProfileStringA 1358->1361 1362 2de9c48-2de9c49 1358->1362 1366 2de9d8b-2de9dcf call 2de53d2 * 3 call 2dea6e0 1361->1366 1365 2de9c4f-2de9c8e GetTempPathA call 2de520b GetFileAttributesA 1362->1365 1362->1366 1377 2de9ca8-2de9caa 1365->1377 1378 2de9c90-2de9c9c CreateDirectoryA 1365->1378 1366->1313 1393 2de9dd5-2de9de3 1366->1393 1372 2de9d86 call 2de53d2 1368->1372 1372->1366 1375->1372 1381 2de9d06-2de9d0d 1377->1381 1382 2de9cac-2de9cc7 call 2de520b call 2de25f0 1377->1382 1380 2de9c9e-2de9ca6 GetFileAttributesA 1378->1380 1378->1381 1380->1377 1380->1381 1381->1372 1390 2de9ccc-2de9cdf call 2de53d2 1382->1390 1390->1381 1395 2de9ce1-2de9ce9 1390->1395 1396 2de9cef-2de9cf2 1395->1396 1397 2de9ceb-2de9ced 1395->1397 1398 2de9cf4-2de9d01 1396->1398 1397->1398 1398->1381
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE9A86
                                                        • GetSystemTime.KERNEL32(?,?,03395710,00000000), ref: 02DE9A9B
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02DE9AAC
                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 02DE9C5B
                                                          • Part of subcall function 02DE520B: __EH_prolog.LIBCMT ref: 02DE5210
                                                        • GetFileAttributesA.KERNEL32(?), ref: 02DE9C89
                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 02DE9C94
                                                        • GetFileAttributesA.KERNEL32(?), ref: 02DE9CA1
                                                        • WriteProfileStringA.KERNEL32(?,?,?), ref: 02DE9D18
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileTime$AttributesH_prologSystem$CreateDirectoryPathProfileStringTempWrite
                                                        • String ID: %s%s$%s.%d$%s\%s$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
                                                        • API String ID: 1656947821-1113863650
                                                        • Opcode ID: 34c8dce3d7b39e0c150b51778e0482ee18a9ee07a71b16fdf76ff11248185111
                                                        • Instruction ID: f804402fc02e2a1d31522d44c6926ae58ef4623a233fa09c746456706f7ca738
                                                        • Opcode Fuzzy Hash: 34c8dce3d7b39e0c150b51778e0482ee18a9ee07a71b16fdf76ff11248185111
                                                        • Instruction Fuzzy Hash: 7AB19C71D01149EECF11EBE4C994EEEBBB9EF08304F548098E506A7391E7759E08CB61
                                                        Function 02C0E9E0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1400 2c0e9e0-2c0e9f6 1401 2c0e9fc-2c0ea19 CreateFileMappingA 1400->1401 1402 2c0ec7f-2c0ec87 1400->1402 1403 2c0ea1b-2c0ea37 CreateFileMappingA 1401->1403 1404 2c0ea3d-2c0ea50 MapViewOfFile 1401->1404 1403->1404 1407 2c0ec6e-2c0ec7e CloseHandle 1403->1407 1405 2c0ea52-2c0ea62 MapViewOfFile 1404->1405 1406 2c0ea68-2c0eaac call 2c00110 * 2 call 2bff1b0 1404->1406 1405->1406 1405->1407 1414 2c0eab2-2c0eab6 1406->1414 1415 2c0eb63-2c0eb9a call 2c00110 call 2c07270 1406->1415 1417 2c0eabc-2c0ead0 1414->1417 1425 2c0ebab-2c0ebaf 1415->1425 1426 2c0eb9c-2c0eba6 call 2c07270 1415->1426 1419 2c0ead2 1417->1419 1420 2c0ead4-2c0eafe call 2c00110 1417->1420 1419->1420 1427 2c0eb00-2c0eb15 call 2bff1b0 1420->1427 1428 2c0eb21-2c0eb23 1420->1428 1432 2c0ebb1-2c0ebc4 call 2c07270 1425->1432 1433 2c0ebe5-2c0ebf1 UnmapViewOfFile 1425->1433 1426->1425 1436 2c0eb33-2c0eb53 1427->1436 1440 2c0eb17-2c0eb1f 1427->1440 1430 2c0eb25-2c0eb31 1428->1430 1430->1436 1444 2c0ebd5-2c0ebd8 1432->1444 1445 2c0ebc6-2c0ebd0 call 2c07270 1432->1445 1437 2c0ebf3-2c0ebf5 1433->1437 1438 2c0ebf7-2c0ebfa 1433->1438 1441 2c0eab8 1436->1441 1442 2c0eb59-2c0eb61 1436->1442 1443 2c0ebfb-2c0ec10 MapViewOfFileEx 1437->1443 1438->1443 1440->1430 1441->1417 1442->1415 1443->1407 1446 2c0ec12-2c0ec24 MapViewOfFile 1443->1446 1444->1433 1448 2c0ebda-2c0ebe2 1444->1448 1445->1444 1446->1407 1449 2c0ec26-2c0ec3a MapViewOfFileEx 1446->1449 1448->1433 1449->1407 1450 2c0ec3c-2c0ec48 MapViewOfFile 1449->1450 1450->1407 1451 2c0ec4a-2c0ec57 1450->1451 1451->1407 1452 2c0ec59-2c0ec6b call 2bf3010 1451->1452 1452->1407
                                                        APIs
                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,08000040,00000000,?,00000000), ref: 02C0EA0B
                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,08000004,00000000,?,00000000), ref: 02C0EA29
                                                        • MapViewOfFile.KERNELBASE(00000000,00000026,00000000,00000000,00000000,?,02C0ECA1,00000000,00000000,?,00000000,02BE607E,?,00000000), ref: 02C0EA46
                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,02C0ECA1,00000000,00000000,?,00000000,02BE607E,?,00000000), ref: 02C0EA58
                                                        • CloseHandle.KERNELBASE(00000000,?,02C0ECA1,00000000,00000000,?,00000000,02BE607E,?,00000000,?,?,?,?,?,|sprof| ts_load_internal_module %s%d%d%d), ref: 02C0EC6F
                                                          • Part of subcall function 02C00110: SetFilePointer.KERNEL32(00000003,00000003,?,?,00000003,00000000,00000003,00000080,00000000), ref: 02C0013D
                                                          • Part of subcall function 02C07270: VirtualProtect.KERNELBASE(?,000000FF,02C0ED6B,?,?,?,?,00000000,?,02C4CAD8,000000FF,02C0ED6B,?,?,00000040,?), ref: 02C0729D
                                                        • UnmapViewOfFile.KERNEL32(00000000,?,00000008,00000040,00000000,00000008,00000000,00000000,00000000,00000008,00000000,00000008,?,00000000,00000008,00000000), ref: 02C0EBE6
                                                        • MapViewOfFileEx.KERNELBASE(00000000,00000026,00000000,00000000,00000000,00000000,?,02C0ECA1,00000000,00000000,?,00000000,02BE607E,?,00000000), ref: 02C0EC0A
                                                        • MapViewOfFile.KERNEL32(00000000,00000026,00000000,00000000,00000000,?,02C0ECA1,00000000,00000000,?,00000000,02BE607E,?,00000000), ref: 02C0EC1E
                                                        • MapViewOfFileEx.KERNEL32(00000000,00000006,00000000,00000000,00000000,00000000,?,02C0ECA1,00000000,00000000,?,00000000,02BE607E,?,00000000), ref: 02C0EC34
                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,02C0ECA1,00000000,00000000,?,00000000,02BE607E,?,00000000), ref: 02C0EC42
                                                        Strings
                                                        • Failed to mapviewofFile for module_map of %s ***, xrefs: 02C0EC61
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$View$CreateMapping$CloseHandlePointerProtectUnmapVirtual
                                                        • String ID: Failed to mapviewofFile for module_map of %s ***
                                                        • API String ID: 1270387057-365993320
                                                        • Opcode ID: 78949e86109a9007fe69cd1760811f0b2e5bcc02cc54bc38ffac863d50bb5223
                                                        • Instruction ID: 9c14952e505f12b316888cb98202b5d8f03d5a7ef2239ccbf03839a8392bdc86
                                                        • Opcode Fuzzy Hash: 78949e86109a9007fe69cd1760811f0b2e5bcc02cc54bc38ffac863d50bb5223
                                                        • Instruction Fuzzy Hash: 1B81AD71684315AFE724DE24CCC1F7BB7E9EB88B10F004A58FA55AB2C0D770E9458BA5
                                                        Function 02BE2210 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 208COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1455 2be2210-2be225d call 2c0d6a0 GetModuleHandleA 1458 2be2456-2be245c 1455->1458 1459 2be2263-2be226a 1455->1459 1462 2be227c-2be2282 1458->1462 1463 2be2462-2be2468 1458->1463 1460 2be244f-2be2451 1459->1460 1461 2be2270-2be2276 ExitProcess 1459->1461 1475 2be2500 1460->1475 1464 2be228a-2be22bf call 2be2020 1462->1464 1465 2be2284 1462->1465 1466 2be246f-2be2475 call 2bea270 1463->1466 1467 2be246a-2be246d 1463->1467 1476 2be2503-2be2513 1464->1476 1478 2be22c5-2be22cb 1464->1478 1465->1464 1472 2be2478-2be249b 1466->1472 1467->1466 1467->1472 1472->1476 1479 2be249d-2be24aa 1472->1479 1475->1476 1480 2be22cd-2be22d1 call 2bf85c0 1478->1480 1481 2be22d9-2be22e9 call 2be1060 1478->1481 1482 2be24ac-2be24ba call 2bf3010 1479->1482 1483 2be24bd-2be24fa call 2be7fb0 call 2bea940 call 2be1050 1479->1483 1489 2be22d6 1480->1489 1490 2be234e-2be23dc GetModuleHandleA GetModuleFileNameA call 2be2b50 call 2be1250 call 2bf88d0 call 2bfb9e0 call 2bfba80 call 2be2b50 call 2bfbb30 call 2be1250 call 2bf36b0 1481->1490 1491 2be22eb-2be22f0 call 2c0d2b0 1481->1491 1482->1483 1489->1481 1534 2be23de 1490->1534 1535 2be23df-2be2421 SetEnvironmentVariableA call 2bf2830 call 2be11a0 GetCommandLineA call 2bf3010 1490->1535 1501 2be22f0 call 2c0cce0 1491->1501 1504 2be22f5-2be2311 call 2c0cb80 call 2c0c9f0 call 2bf2860 call 2be2810 call 2c0b620 1501->1504 1525 2be2316-2be2349 call 2be1050 call 2bfbba0 call 2beb6e0 call 2bf1060 call 2c02f80 call 2c0a7b0 call 2c09370 call 2c07cc0 GetModuleHandleA 1504->1525 1525->1490 1534->1535 1549 2be2437-2be243f call 2c06a30 1535->1549 1550 2be2423 call 2c055e0 1535->1550 1558 2be24fb call 2be1390 1549->1558 1559 2be2445-2be244a call 2be1ea0 1549->1559 1556 2be2428-2be2432 call 2c078a0 call 2be1150 call 2c07a20 1550->1556 1556->1549 1558->1475 1559->1475
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 02BE2238
                                                        • ExitProcess.KERNEL32 ref: 02BE2276
                                                        Strings
                                                        • Thinstall_DllMain(DLL_PROCESS_DETACH) (shutdown for module %x), xrefs: 02BE24B0
                                                        • TS_EXECUTE_EXTERNAL, xrefs: 02BE23E0
                                                        • KERNEL32.DLL, xrefs: 02BE233E
                                                        • cmdline=%s, xrefs: 02BE240D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ExitHandleModuleProcess
                                                        • String ID: KERNEL32.DLL$TS_EXECUTE_EXTERNAL$Thinstall_DllMain(DLL_PROCESS_DETACH) (shutdown for module %x)$cmdline=%s
                                                        • API String ID: 3701513920-3757307893
                                                        • Opcode ID: d597ae230d1c187ca0b6821d2dbbbfa08fd2161c602e5ea79314c4ba2c3d6753
                                                        • Instruction ID: 0cf3810e2c9f54975e5c4e9d6574853ef7163fd288e160e927b30be095f1386b
                                                        • Opcode Fuzzy Hash: d597ae230d1c187ca0b6821d2dbbbfa08fd2161c602e5ea79314c4ba2c3d6753
                                                        • Instruction Fuzzy Hash: 0661D5B1D802009BDF14FFA5ECD5B6E736EEF44310B204695E90B97242DB359954CF62
                                                        Function 02BFDEA3 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 198fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1570 2bfdea3-2bfdeb1 1571 2bfdeb3-2bfdecb CreateFileA 1570->1571 1572 2bfded0-2bfdef9 GetCurrentProcess * 2 DuplicateHandle 1570->1572 1571->1572 1573 2bfdefb-2bfdf26 call 2be27c0 1572->1573 1574 2bfdf28-2bfdf37 call 2bfde10 1572->1574 1579 2bfdf8c-2bfdf98 1573->1579 1574->1579 1580 2bfdf39-2bfdf60 CreateFileA call 2bfde10 1574->1580 1581 2bfdfef-2bfdff4 1579->1581 1582 2bfdf9a-2bfdfc2 call 2be27c0 1579->1582 1580->1579 1592 2bfdf62-2bfdf89 call 2be27c0 1580->1592 1586 2bfdffa-2bfe008 GetLastError 1581->1586 1587 2bfe126-2bfe12a 1581->1587 1582->1581 1590 2bfe00a-2bfe024 1586->1590 1591 2bfe027-2bfe02d 1586->1591 1590->1591 1593 2bfe02f-2bfe032 1591->1593 1594 2bfe034-2bfe039 1591->1594 1592->1579 1593->1594 1598 2bfe097-2bfe09a 1593->1598 1594->1598 1599 2bfe03b-2bfe04a 1594->1599 1601 2bfe09c-2bfe0ae 1598->1601 1602 2bfe0d3-2bfe0d5 1598->1602 1599->1598 1600 2bfe04c-2bfe058 call 2bedc40 1599->1600 1611 2bfe08d-2bfe095 1600->1611 1612 2bfe05a-2bfe088 1600->1612 1601->1602 1605 2bfe0b0-2bfe0bc call 2bedc40 1601->1605 1606 2bfe11b-2bfe122 SetLastError 1602->1606 1607 2bfe0d7-2bfe0e3 call 2bedc40 1602->1607 1616 2bfe0be-2bfe0d1 1605->1616 1617 2bfe10b 1605->1617 1606->1587 1607->1617 1618 2bfe0e5-2bfe0f1 1607->1618 1615 2bfe113-2bfe118 call 2bfdcf0 1611->1615 1612->1615 1615->1606 1619 2bfe0f4-2bfe109 1616->1619 1620 2bfe10d-2bfe112 1617->1620 1618->1619 1619->1620 1620->1615
                                                        APIs
                                                        • CreateFileA.KERNELBASE(02C661AC,80000000,00000003,?,00000003,00000080), ref: 02BFDEC9
                                                          • Part of subcall function 02BFDE10: RtlEnterCriticalSection.NTDLL(02C66760), ref: 02BFDE19
                                                          • Part of subcall function 02BFDE10: RtlLeaveCriticalSection.NTDLL(02C66760), ref: 02BFDE6A
                                                        • GetCurrentProcess.KERNEL32(?,80000000,00000001,00000002), ref: 02BFDEE4
                                                        • GetCurrentProcess.KERNEL32(000002A4,00000000), ref: 02BFDEEE
                                                        • DuplicateHandle.KERNELBASE(00000000), ref: 02BFDEF1
                                                        • CreateFileA.KERNEL32(02C661AC,80000000,00000003,?,00000003,00000080), ref: 02BFDF4F
                                                          • Part of subcall function 02BFDE10: RtlLeaveCriticalSection.NTDLL(02C66760), ref: 02BFDE76
                                                        • GetLastError.KERNEL32 ref: 02BFDFFA
                                                        • SetLastError.KERNEL32(00000000), ref: 02BFE11C
                                                        Strings
                                                        • C:\jc\VOS2\thinstall\os\create_file2.cpp, xrefs: 02BFDF14, 02BFDF7A, 02BFDFAC
                                                        • Duplicate Handle failed: %s, xrefs: 02BFDF0A
                                                        • Duplicate Handle did not create new handle (h=%x) %s, xrefs: 02BFDFA2
                                                        • Failed to duplicate handle for %s using %s, xrefs: 02BFDF70
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$CreateCurrentErrorFileLastLeaveProcess$DuplicateEnterHandle
                                                        • String ID: C:\jc\VOS2\thinstall\os\create_file2.cpp$Duplicate Handle did not create new handle (h=%x) %s$Duplicate Handle failed: %s$Failed to duplicate handle for %s using %s
                                                        • API String ID: 771540328-3067229492
                                                        • Opcode ID: 00fbac182a1b46909a7aae1d9412f3885ea291fc374c34b38dee6de8fb81bdc4
                                                        • Instruction ID: 4766c1267cbbba3c99262c042f035b9f453137055cb3e97d179aa0765b7c7575
                                                        • Opcode Fuzzy Hash: 00fbac182a1b46909a7aae1d9412f3885ea291fc374c34b38dee6de8fb81bdc4
                                                        • Instruction Fuzzy Hash: BD61B4B0A403119FD754CF24DC85F26BBA9FB88714F108A99FA05DB351C770E958CBA2
                                                        Function 02DE80C6 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 305timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1623 2de80c6-2de80ec call 2deb4c0 1626 2de8409-2de840d 1623->1626 1627 2de80f2-2de811e call 2de1390 call 2de2dc5 1623->1627 1629 2de840f-2de847a call 2de56ce 1626->1629 1630 2de847c-2de8484 1626->1630 1640 2de811f-2de8124 1627->1640 1631 2de84a6-2de84b7 1629->1631 1630->1631 1632 2de8486-2de848d 1630->1632 1632->1631 1635 2de848f-2de8496 1632->1635 1642 2de8498-2de849f call 2de6bc9 1635->1642 1643 2de84a1 1635->1643 1644 2de812a-2de812f 1640->1644 1645 2de8126-2de8128 1640->1645 1642->1631 1643->1631 1648 2de84a1 call 2de5fe2 1643->1648 1647 2de8132-2de8135 1644->1647 1645->1647 1651 2de815e-2de8180 call 2de7fca 1647->1651 1652 2de8137-2de8149 call 2de5440 1647->1652 1648->1631 1659 2de8186-2de8189 1651->1659 1660 2de8182-2de8184 1651->1660 1661 2de815b-2de815c 1652->1661 1662 2de814b-2de8156 call 2de5359 1652->1662 1664 2de818b-2de81af call 2de50a5 call 2dec5f0 1659->1664 1660->1664 1661->1640 1662->1661 1669 2de81b6-2de81bb 1664->1669 1670 2de81b1 call 2de7bc4 1664->1670 1672 2de81bd-2de81bf 1669->1672 1673 2de81c1-2de81c4 1669->1673 1670->1669 1674 2de81c6-2de8203 call 2de2214 GetSystemTime call 2de1228 call 2de1203 1672->1674 1673->1674 1681 2de820a 1674->1681 1682 2de8205-2de8208 1674->1682 1683 2de820c-2de8341 call 2de227d call 2de5244 call 2de5359 call 2de53d2 call 2de1b55 * 2 call 2de1bcd * 5 call 2de50a5 call 2de34fd call 2dea33d call 2dea4cb call 2de9399 call 2de5359 call 2de53d2 1681->1683 1682->1683 1720 2de83b7-2de83c4 1683->1720 1721 2de8343-2de8386 call 2de58ea call 2de8df7 call 2de5cee call 2de5fe2 1683->1721 1726 2de83c6-2de83c8 call 2de6bc9 1720->1726 1727 2de83d0 1720->1727 1741 2de8388 1721->1741 1742 2de8392-2de8393 1721->1742 1733 2de83cd-2de83ce 1726->1733 1730 2de83d5-2de8404 call 2de21ae call 2dea6e0 call 2de53d2 call 2de2dd5 1727->1730 1731 2de83d0 call 2de5fe2 1727->1731 1730->1631 1731->1730 1733->1730 1744 2de838a ExitProcess 1741->1744 1742->1720 1742->1744
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE80CB
                                                        • GetSystemTime.KERNEL32(?,?,?,00000000,00000000), ref: 02DE81E0
                                                          • Part of subcall function 02DE34FD: __EH_prolog.LIBCMT ref: 02DE3502
                                                          • Part of subcall function 02DEA33D: __EH_prolog.LIBCMT ref: 02DEA342
                                                          • Part of subcall function 02DEA33D: GetVolumeInformationA.KERNELBASE(c:\,?,00000104,?,?,?,?,00000104,02DFC788,00000000), ref: 02DEA417
                                                          • Part of subcall function 02DEA33D: GetComputerNameA.KERNEL32(?,00000008), ref: 02DEA44A
                                                          • Part of subcall function 02DEA4CB: __EH_prolog.LIBCMT ref: 02DEA4D0
                                                          • Part of subcall function 02DE9399: __EH_prolog.LIBCMT ref: 02DE939E
                                                          • Part of subcall function 02DE8DF7: __EH_prolog.LIBCMT ref: 02DE8DFC
                                                          • Part of subcall function 02DE5CEE: __EH_prolog.LIBCMT ref: 02DE5CF3
                                                          • Part of subcall function 02DE5FE2: __EH_prolog.LIBCMT ref: 02DE5FE7
                                                          • Part of subcall function 02DE5FE2: GetSystemTime.KERNEL32(?,?,02DFC7B0), ref: 02DE609E
                                                          • Part of subcall function 02DE5FE2: SystemTimeToFileTime.KERNEL32(?,02DFC7B8,?,02DFC7B0), ref: 02DE60AD
                                                        • ExitProcess.KERNEL32 ref: 02DE838A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prolog$Time$System$ComputerExitFileInformationNameProcessVolume
                                                        • String ID: -th_setkey$2$GetEnvironmentVariableA$GetEnvironmentVariableW$SetEnvironmentVariableA$SetEnvironmentVariableW$kernel32.dll
                                                        • API String ID: 454297466-342239240
                                                        • Opcode ID: 924e80c1b76468ad34acca0e6bcf1c9c458c8ad07b87353ec58e659239afcc02
                                                        • Instruction ID: 68f439962be9dd00f27acee3475eec24edb7605b00fcdfa7eb3f622ae924fee0
                                                        • Opcode Fuzzy Hash: 924e80c1b76468ad34acca0e6bcf1c9c458c8ad07b87353ec58e659239afcc02
                                                        • Instruction Fuzzy Hash: 66B17C70900208AFDF04FFA4D894AAE7BBAEF04314F10445AE557AB3A1DB709E19DF61
                                                        Function 02DE9E55 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 365timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1803 2de9e55-2de9e79 call 2deb4c0 1806 2de9e7d-2de9f19 call 2de520b call 2de518f call 2de53d2 call 2de520b call 2de518f call 2de53d2 call 2de5124 * 2 1803->1806 1823 2de9f1f-2de9f20 1806->1823 1824 2dea082-2dea0a6 call 2de520b call 2de999d 1806->1824 1826 2dea04d-2dea071 call 2de520b call 2de999d 1823->1826 1827 2de9f26-2de9f27 1823->1827 1841 2dea0ab-2dea0b2 1824->1841 1847 2dea076-2dea080 1826->1847 1828 2de9fcd-2de9ff6 GetProfileStringA 1827->1828 1829 2de9f2d-2de9f2e 1827->1829 1835 2de9ff8-2dea01c call 2de1228 GetProfileStringA 1828->1835 1836 2dea033-2dea03a 1828->1836 1832 2dea268-2dea293 call 2de53d2 * 3 1829->1832 1833 2de9f34-2de9f7f GetTempPathA call 2de520b call 2de25f0 call 2de53d2 1829->1833 1871 2de9e7b 1832->1871 1872 2dea299-2dea2aa 1832->1872 1844 2dea0ba-2dea0be 1833->1844 1874 2de9f85-2de9fc8 call 2de5597 call 2de5359 call 2de53d2 1833->1874 1856 2dea01e-2dea022 call 2de538c 1835->1856 1857 2dea027-2dea02e call 2de12a4 1835->1857 1843 2dea03c-2dea04b call 2de538c 1836->1843 1836->1844 1849 2dea0b5 call 2de53d2 1841->1849 1843->1844 1844->1832 1851 2dea0c4-2dea0cf call 2de53e7 1844->1851 1847->1849 1849->1844 1851->1832 1865 2dea0d5-2dea12e call 2de53e7 call 2de51c1 call 2de53e7 call 2de34a3 1851->1865 1856->1857 1857->1844 1886 2dea154-2dea17c call 2de50a5 call 2dec5f0 1865->1886 1887 2dea130-2dea14f 1865->1887 1871->1806 1874->1844 1896 2dea17e-2dea184 1886->1896 1897 2dea189-2dea193 1886->1897 1887->1887 1890 2dea151 1887->1890 1890->1886 1899 2dea25c-2dea263 call 2dea6e0 1896->1899 1897->1896 1900 2dea195-2dea19c 1897->1900 1899->1832 1901 2dea19e-2dea1ab CompareFileTime 1900->1901 1902 2dea1ad-2dea1bc call 2deba40 1900->1902 1901->1902 1904 2dea1c3-2dea1c7 1901->1904 1902->1904 1907 2dea1d8-2dea1e7 call 2deba40 1904->1907 1908 2dea1c9-2dea1d6 CompareFileTime 1904->1908 1909 2dea1ee-2dea1f2 1907->1909 1908->1907 1908->1909 1912 2dea207-2dea20b 1909->1912 1913 2dea1f4-2dea205 call 2dec5f0 1909->1913 1912->1899 1915 2dea20d-2dea21e call 2dec5f0 1912->1915 1913->1912 1918 2dea220-2dea255 call 2de850b call 2deba40 1913->1918 1915->1899 1915->1918 1918->1899
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE9E5A
                                                          • Part of subcall function 02DE520B: __EH_prolog.LIBCMT ref: 02DE5210
                                                          • Part of subcall function 02DE5124: __EH_prolog.LIBCMT ref: 02DE5129
                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 02DE9F40
                                                          • Part of subcall function 02DE25F0: __EH_prolog.LIBCMT ref: 02DE25F5
                                                        • GetProfileStringA.KERNEL32(?,?,02DFC698,?,00000200), ref: 02DE9FEB
                                                        • GetProfileStringA.KERNEL32(?,?,02DFC698,00000000,00008000), ref: 02DEA013
                                                        • CompareFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 02DEA1A3
                                                        • CompareFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 02DEA1CE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prolog$CompareFileProfileStringTime$PathTemp
                                                        • String ID: %s%s\%s$%s.%d$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
                                                        • API String ID: 1965761582-3054474567
                                                        • Opcode ID: 8b20dde45d9d190839bc7e45ca294e9e819cdc0e97b6a74dfc56b2caf7377f4b
                                                        • Instruction ID: 38d67fb449f99c57f86fc405b5627bd0401fc1b5a74f775c0e2b0a6ebc4504cb
                                                        • Opcode Fuzzy Hash: 8b20dde45d9d190839bc7e45ca294e9e819cdc0e97b6a74dfc56b2caf7377f4b
                                                        • Instruction Fuzzy Hash: 38D18A71D00249AEDF11EBA4DC84BEEBBB9EF08308F544059E556A7390EB759E08CF61
                                                        Function 02BE6FB0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260memorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1924 2be6fb0-2be6fbf 1925 2be6fef-2be6ff5 1924->1925 1926 2be6fc1-2be6fcd call 2bedc40 1924->1926 1928 2be6ffb-2be7017 call 2c0d8e0 1925->1928 1929 2be70b2 1925->1929 1933 2be6fcf-2be6fe8 1926->1933 1934 2be6fea 1926->1934 1942 2be7019-2be701e 1928->1942 1931 2be70b7-2be70b9 1929->1931 1935 2be70bf-2be70cd 1931->1935 1936 2be71c8-2be71f3 GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle call 2c0d8e0 1931->1936 1938 2be6fec 1933->1938 1934->1938 1939 2be70cf-2be70e1 GetCurrentThread call 2bf3010 1935->1939 1940 2be70e4-2be7150 GetProcessHeap RtlAllocateHeap call 2c0d8e0 1935->1940 1947 2be71f8-2be721f GetCurrentThreadId 1936->1947 1938->1925 1939->1940 1957 2be7152-2be7160 1940->1957 1944 2be7090-2be7097 1942->1944 1945 2be7020-2be702a 1942->1945 1950 2be7099-2be70a2 1944->1950 1951 2be70a7-2be70a9 1944->1951 1945->1944 1949 2be702c-2be7034 1945->1949 1953 2be723a-2be7245 1947->1953 1954 2be7221-2be722d 1947->1954 1958 2be708d-2be708e 1949->1958 1959 2be7036-2be7088 1949->1959 1950->1951 1951->1931 1962 2be70ab-2be70ad call 2c0d910 1951->1962 1960 2be7247-2be7253 1953->1960 1961 2be7255-2be725a 1953->1961 1955 2be722f-2be7231 1954->1955 1956 2be7233 1954->1956 1963 2be7236-2be7238 1955->1963 1956->1963 1964 2be71bb-2be71bd 1957->1964 1965 2be7162-2be716c 1957->1965 1958->1942 1959->1958 1966 2be7290 call 2becb40 1960->1966 1967 2be725c-2be725e 1961->1967 1968 2be7276-2be7281 1961->1968 1962->1929 1963->1953 1963->1954 1973 2be71bf-2be71c1 call 2c0d910 1964->1973 1974 2be71c6 1964->1974 1965->1964 1970 2be716e-2be7178 1965->1970 1975 2be7295-2be72a5 call 2c0d910 1966->1975 1971 2be726e-2be7271 call 2bed420 1967->1971 1972 2be7260-2be726c 1967->1972 1968->1975 1976 2be7283-2be728f 1968->1976 1978 2be717a-2be7187 1970->1978 1979 2be71b8-2be71b9 1970->1979 1971->1968 1972->1966 1973->1974 1974->1936 1976->1966 1978->1979 1984 2be7189-2be71b6 1978->1984 1979->1957 1984->1979
                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 02BE70D0
                                                        • GetProcessHeap.KERNEL32 ref: 02BE70E4
                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,02C66250), ref: 02BE70F3
                                                        • GetCurrentProcess.KERNEL32(?,00000002,00000000,00000002), ref: 02BE71DA
                                                        • GetCurrentThread.KERNEL32 ref: 02BE71DD
                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 02BE71E4
                                                        • DuplicateHandle.KERNELBASE(00000000), ref: 02BE71E7
                                                        • GetCurrentThreadId.KERNEL32 ref: 02BE71F8
                                                          • Part of subcall function 02C0D910: RtlLeaveCriticalSection.NTDLL(02C665DC), ref: 02C0D914
                                                        Strings
                                                        • Thread %x : allocating thread local storage of size 0x%x, xrefs: 02BE70D7
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread$Heap$AllocateCriticalDuplicateHandleLeaveSection
                                                        • String ID: Thread %x : allocating thread local storage of size 0x%x
                                                        • API String ID: 1358734722-2764710613
                                                        • Opcode ID: d648b5971433e92bf0d4c85fae5f5bbf9b955abbaa02be538ecfa8aa1009b56b
                                                        • Instruction ID: e04e30e0028a2ae62872fce759b55b4b694ed969647e12bcaee31721a9880850
                                                        • Opcode Fuzzy Hash: d648b5971433e92bf0d4c85fae5f5bbf9b955abbaa02be538ecfa8aa1009b56b
                                                        • Instruction Fuzzy Hash: FDA1B171A002159FCB14CF59D894A69F7BAFF887147198A99E80A9B341DB30E990CFC0
                                                        Function 02BF85C0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 189fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32(?,?,?,00000104,00000104,?), ref: 02BF875D
                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,08000004,00000000,?,?), ref: 02BF8789
                                                        • MapViewOfFile.KERNELBASE(00000000,00000002,00000000,00000000,00000000), ref: 02BF87A0
                                                          • Part of subcall function 02C2FBA0: SetEnvironmentVariableW.KERNEL32(?,?,000000FF,02BF86FD,TS_SOURCE,00000000,?,00000104,00000104,?), ref: 02C2FBCB
                                                          • Part of subcall function 02C2FE30: GetModuleFileNameW.KERNEL32(?,?,?), ref: 02C2FE57
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$CreateCurrentEnvironmentMappingModuleNameProcessVariableView
                                                        • String ID: %08x-th.ib$Bad TS_SOURCE value, file does not exist:%ls$C:\jc\VOS2\thinstall\os\create_process.cpp$TS_CWD$TS_MOD0$TS_SOURCE
                                                        • API String ID: 1136601659-2209332611
                                                        • Opcode ID: eece83277f65af44d114bb711b68520f265e215742deef1577237709b247af24
                                                        • Instruction ID: 06ce6720d90d46f2903b3da67fc29c3e90ebd6354c434dd78934e24cb09dc908
                                                        • Opcode Fuzzy Hash: eece83277f65af44d114bb711b68520f265e215742deef1577237709b247af24
                                                        • Instruction Fuzzy Hash: 8371D1712483409FD324DB24DC45FAAB7E5BFC4708F144A4CEA8957281DB75E849CB56
                                                        Function 02DE25F0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE25F5
                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000001,?,?,02DE9F6C,00000000,00000001,?,%s%s\%s), ref: 02DE26BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateFileH_prolog
                                                        • String ID: C:\jc\VOS2\i4\file\win32\win_file.cpp$Failed to open %s for %s$append/read/write$i4_file::Bad open flags!$read/write$reading$writing
                                                        • API String ID: 1113363744-2296789051
                                                        • Opcode ID: dfda9a67d7e809af117c9f794b4787bf29cb475ed753675a1d26d43babef74c4
                                                        • Instruction ID: 72ab764aa757cf1cf032724a277b4604902e39a518a246d437d98173279ad67b
                                                        • Opcode Fuzzy Hash: dfda9a67d7e809af117c9f794b4787bf29cb475ed753675a1d26d43babef74c4
                                                        • Instruction Fuzzy Hash: 6F412CB2B442847AFF29B668AC59BAD239C9B45364F18821EFD17DA3C0D771CD40C628
                                                        Function 02DE60E0 Relevance: 15.5, APIs: 10, Instructions: 459timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(?,02DFC810,02DFC7B0,00000000), ref: 02DE60F5
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02DE6103
                                                        • FileTimeToSystemTime.KERNEL32(02DE605D,?), ref: 02DE6188
                                                        • FileTimeToSystemTime.KERNEL32(02DE6055,?), ref: 02DE6195
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 02DE61A2
                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,02DFC7F4), ref: 02DE61B1
                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 02DE61D5
                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 02DE61FF
                                                        • CompareFileTime.KERNEL32(?,?,?,?), ref: 02DE63DD
                                                        • CompareFileTime.KERNEL32(?,?,?,?), ref: 02DE641A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Time$System$File$LocalSpecific$Compare
                                                        • String ID:
                                                        • API String ID: 4256208403-0
                                                        • Opcode ID: 812b5fe2e53c74b7bbbf351f0807dd719dfc42ad95ccd4881e973442ee7bed38
                                                        • Instruction ID: d1d76512671553ea4107675e918cc1f3ba1b47de3da30b852cdbce0b6567ce4b
                                                        • Opcode Fuzzy Hash: 812b5fe2e53c74b7bbbf351f0807dd719dfc42ad95ccd4881e973442ee7bed38
                                                        • Instruction Fuzzy Hash: 1212C7B1D002189FCF54DFA9C880AADBBF9BF18314F1081AAE95AA7351D7709A45CF90
                                                        Function 02C11C00 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 136fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,?), ref: 02C11CC3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID: C:\jc\VOS2\i4\file\win32\win_file.cpp$Failed to open %s for %s$append/read/write$i4_file::Bad open flags!$read/write$reading$writing
                                                        • API String ID: 823142352-2296789051
                                                        • Opcode ID: 64382d1efa82028b2f51303bccd7302f486a2f2f74e079501d5ea5a7bf7c4a10
                                                        • Instruction ID: 40cb43c92cfe0670d69fd2c442deb92393811319aa8548b92998fbd3153f2b2c
                                                        • Opcode Fuzzy Hash: 64382d1efa82028b2f51303bccd7302f486a2f2f74e079501d5ea5a7bf7c4a10
                                                        • Instruction Fuzzy Hash: B4413B71B84340ABE7019A249C12B6737D8ABC6B54F0C0628FE59973C1E7EDDB0497A6
                                                        Function 02BF5C10 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 214memorythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • VirtualProtect.KERNELBASE(00000000,?,00000040,?,00000000,thinstall_entry), ref: 02BF5DF0
                                                        • DisableThreadLibraryCalls.KERNEL32(00000000), ref: 02BF5DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CallsDisableIncrementInterlockedLibraryProtectThreadVirtual
                                                        • String ID: .dll$load_plugin %s -> %x$thinstall_entry$virtual_registry$|sprof| load_plugins %s%d%d%d
                                                        • API String ID: 2145792272-3510175067
                                                        • Opcode ID: 93a856355b2506d3409e88555a2c2f74553acad41ea614a8a817835cd4b98cca
                                                        • Instruction ID: 5a62eccab34f0f98741457ef1019f686794e021a30912dccb2d4fceb9faacda3
                                                        • Opcode Fuzzy Hash: 93a856355b2506d3409e88555a2c2f74553acad41ea614a8a817835cd4b98cca
                                                        • Instruction Fuzzy Hash: 08819BB19083819FD720DF29C480A6BBBE9FB88704F5449ADF59A97310D7B4D849CB92
                                                        Function 02BFF4E0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 213fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 02BFF4F8
                                                        • SetFilePointer.KERNELBASE(?,?,?,?,000002A4,?,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 02BFF5D5
                                                        • ReadFile.KERNELBASE ref: 02BFF611
                                                        • IsBadWritePtr.KERNEL32(?,?), ref: 02BFF6E0
                                                        • SetEvent.KERNEL32(?), ref: 02BFF756
                                                        • SetLastError.KERNEL32(?), ref: 02BFF761
                                                        Strings
                                                        • |loader| Decompress block at 0x%x, in_size=0x%x, out_size=0x%x, xrefs: 02BFF65E
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLast$EventPointerReadWrite
                                                        • String ID: |loader| Decompress block at 0x%x, in_size=0x%x, out_size=0x%x
                                                        • API String ID: 242288239-410466485
                                                        • Opcode ID: 7e65eb3e7944ae264f09116bbebec91ea8998f93c903d267dcf8972a48dc8317
                                                        • Instruction ID: 807fcdadcc23e20bc6f3376ba2a21a7247b527a09de4f812ec77eeb10f24a845
                                                        • Opcode Fuzzy Hash: 7e65eb3e7944ae264f09116bbebec91ea8998f93c903d267dcf8972a48dc8317
                                                        • Instruction Fuzzy Hash: 61815974604301AFDB60DF28C980B6BB7A5FF88744F14895CE9499B791D731EC49CB91
                                                        Function 02BF7240 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157threadsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 02BF7322
                                                        • Sleep.KERNEL32(0000000A), ref: 02BF733C
                                                        • GetCurrentThreadId.KERNEL32 ref: 02BF7351
                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 02BF73F5
                                                          • Part of subcall function 02C0D910: RtlLeaveCriticalSection.NTDLL(02C665DC), ref: 02C0D914
                                                        • SetLastError.KERNEL32(00000000,?), ref: 02BF7404
                                                        Strings
                                                        • attach_list (locked), xrefs: 02BF72CF
                                                        • Module %08x (%s) returned 0 for DLL_PROCESS_ATTACH! Will now be freed...***, xrefs: 02BF73C4
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CurrentErrorLastThread$CriticalLeaveSectionSleep
                                                        • String ID: Module %08x (%s) returned 0 for DLL_PROCESS_ATTACH! Will now be freed...***$attach_list (locked)
                                                        • API String ID: 1692029313-3259613937
                                                        • Opcode ID: 928e4d8537b0bfc3aa0947fafad8f68d0eba85da6b668bfb7b1e90d1f239f8ad
                                                        • Instruction ID: 34c729f14dc33ac5b8b3253db744e5ad2cd78b89c1493f2c624c64c9ea609101
                                                        • Opcode Fuzzy Hash: 928e4d8537b0bfc3aa0947fafad8f68d0eba85da6b668bfb7b1e90d1f239f8ad
                                                        • Instruction Fuzzy Hash: 9251CDB1A047409BC754EF68C884B6BBBE6EF84704F004D9DEA9693340DF35E949DB92
                                                        Function 002012A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00201881,?,?,?), ref: 002012A5
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002012CA
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002012F2
                                                        • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,?,000000FF,00000000,00000000), ref: 00201301
                                                        • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,00000000), ref: 00201324
                                                        • SysAllocString.OLEAUT32(00000000), ref: 00201327
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404252170.0000000000201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00200000, based on PE: true
                                                        • Associated: 00000001.00000002.1404227563.0000000000200000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404302566.0000000000204000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404321269.0000000000205000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404340131.0000000000207000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_200000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiVariableWide$AllocStringXlength_error@std@@
                                                        • String ID: string too long
                                                        • API String ID: 2487351749-2556327735
                                                        • Opcode ID: edff882526854ef0d6342ab3eef383518caf981ec4328c95ed8955ea878fa63a
                                                        • Instruction ID: 83e67aedc23cb2ef00ad427c84d348d4b514063c29742a8f86c29d82d33159c9
                                                        • Opcode Fuzzy Hash: edff882526854ef0d6342ab3eef383518caf981ec4328c95ed8955ea878fa63a
                                                        • Instruction Fuzzy Hash: 7E01F7B17403047FFB28A669AC4FF6ABA5DDB45770F200328FB28D72E1D9A16E104965
                                                        Function 02BE99F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 133libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(?,?,00000000,?,?,?), ref: 02BE9AB1
                                                        • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?), ref: 02BE9AB5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: (***failed)$.dll$LoadLibraryA '%s' -> %x%s$LoadLibraryA'%s' -> %x (*** failed)
                                                        • API String ID: 1029625771-2844971360
                                                        • Opcode ID: 9dcbee59f2250cd2ae453a15a234b5352ca491c32a0092897e038d12973d5df0
                                                        • Instruction ID: 9f3a25bc2b0e1105c862013683b5e9d90ee5fff14c95665970ec3ff42f5742c1
                                                        • Opcode Fuzzy Hash: 9dcbee59f2250cd2ae453a15a234b5352ca491c32a0092897e038d12973d5df0
                                                        • Instruction Fuzzy Hash: 96413CB19087809FC710DF69848066BFBE5BB89704F5409AEF5AA93311D770D948CF63
                                                        Function 02DE999D Relevance: 9.1, APIs: 6, Instructions: 84registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 02DE99B2
                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?), ref: 02DE99E0
                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 02DE9A06
                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02DE9A48
                                                        • RegCloseKey.ADVAPI32(?,00000000), ref: 02DE9A61
                                                        • RegCloseKey.ADVAPI32(?), ref: 02DE9A75
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: QueryValue$Close$Open
                                                        • String ID:
                                                        • API String ID: 2895014784-0
                                                        • Opcode ID: 21526c08f9a35879579513d60132ad08605de8f9e198fef79122d266dd60e273
                                                        • Instruction ID: b08d0d8932528217e36f2de3e086b9bf077399d6215a43fa04b4c9a11628296d
                                                        • Opcode Fuzzy Hash: 21526c08f9a35879579513d60132ad08605de8f9e198fef79122d266dd60e273
                                                        • Instruction Fuzzy Hash: BA21177250410DBADF11EFA0EC45EEE3B6DEF44354F208426BA569A250EB70DE54DFA0
                                                        Function 02C3A770 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32(00000000,000000FF,02C257AB,00000000), ref: 02C3A799
                                                        • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 02C3A7D5
                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02C3A7FE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$CurrentMappingOpenProcessView
                                                        • String ID: com client is waiting for %s$waitid-%d
                                                        • API String ID: 4111187041-3442215448
                                                        • Opcode ID: 6e9520076d0219667ae562a211045843efc5ea19ddef22c3a7fc710b768422d6
                                                        • Instruction ID: 59aab9b38f7d55b9165db9ce1f69b45d66c2d96a0b5cd5762f8a5dfc34c8c127
                                                        • Opcode Fuzzy Hash: 6e9520076d0219667ae562a211045843efc5ea19ddef22c3a7fc710b768422d6
                                                        • Instruction Fuzzy Hash: 3F31A475A803009FE304DF14DC49F66B7A4EB88714F044E69FD4597391C774A858CBA6
                                                        Function 02BFC680 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • GetCurrentProcess.KERNEL32 ref: 02BFC6CD
                                                        • K32EnumProcessModules.KERNEL32(00000000), ref: 02BFC6D0
                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,?), ref: 02BFC6F7
                                                        • EnumProcessModules.PSAPI(00000000), ref: 02BFC6FA
                                                        Strings
                                                        • |sprof| patch_scan_EnumProcessModules %s%d%d%d, xrefs: 02BFC69F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentEnumModules$IncrementInterlocked
                                                        • String ID: |sprof| patch_scan_EnumProcessModules %s%d%d%d
                                                        • API String ID: 1887515487-855142314
                                                        • Opcode ID: d9b4753a63d671b9c635e95391c4ae605734f5e21c8af325377a13c824d62ea4
                                                        • Instruction ID: 2f7f5a65761ad531597e19430daa4fe057d901fa96ddb2b01a2d01b5828baa82
                                                        • Opcode Fuzzy Hash: d9b4753a63d671b9c635e95391c4ae605734f5e21c8af325377a13c824d62ea4
                                                        • Instruction Fuzzy Hash: 3E21E4B6544345ABE320EF14DC49F9F7BA8EBC0710F000E18F59693290DB78A949CB92
                                                        Function 02DE98EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE98EF
                                                          • Part of subcall function 02DE999D: RegOpenKeyA.ADVAPI32(?,?,?), ref: 02DE99B2
                                                          • Part of subcall function 02DE999D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?), ref: 02DE99E0
                                                          • Part of subcall function 02DE999D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 02DE9A06
                                                          • Part of subcall function 02DE999D: RegCloseKey.ADVAPI32(?,00000000), ref: 02DE9A61
                                                          • Part of subcall function 02DE999D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02DE9A48
                                                          • Part of subcall function 02DE999D: RegCloseKey.ADVAPI32(?), ref: 02DE9A75
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: QueryValue$Close$H_prologOpen
                                                        • String ID: ProductId$ProductKey$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                        • API String ID: 1981898006-4144868099
                                                        • Opcode ID: 1d9a9f27632eca6d6edc4975c82f03c0cfd6f6f213eec29d0e3d8d18c8c9bf97
                                                        • Instruction ID: 2b6b5ffcbb5779c015ebab57bb28e2e28f9fda45288445dc16c4d7a736f9a51a
                                                        • Opcode Fuzzy Hash: 1d9a9f27632eca6d6edc4975c82f03c0cfd6f6f213eec29d0e3d8d18c8c9bf97
                                                        • Instruction Fuzzy Hash: F9115BB1D01119AAEF10EA94DC54FFF77BCEB60358F410459FA15A6302E3B49E04CAB1
                                                        Function 02C06FE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapCreate.KERNELBASE(00000000,00008000,00000000,?,?,02C4CABB), ref: 02C07008
                                                          • Part of subcall function 02C0D8A0: RtlInitializeCriticalSection.NTDLL(00000004), ref: 02C0D8B5
                                                        • RtlAllocateHeap.NTDLL(02C66A9C,00000000,?), ref: 02C07054
                                                        • ExitProcess.KERNEL32 ref: 02C07085
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateCreateCriticalExitInitializeProcessSection
                                                        • String ID: no_mem_msg$no_mem_title
                                                        • API String ID: 3036864530-2569468903
                                                        • Opcode ID: 4cf936a9404733eefa32b145c7744caf8cce34595da025b2c0bf00284d6d11b8
                                                        • Instruction ID: 1bf8a3f67aed641737b742b12565ac3af7ee6397fbd0c64180cd1dadab30242d
                                                        • Opcode Fuzzy Hash: 4cf936a9404733eefa32b145c7744caf8cce34595da025b2c0bf00284d6d11b8
                                                        • Instruction Fuzzy Hash: 5E1104B1EC07116BE2509B29AC49F07369CEF84B14F008B39F50AD6280E735E4148B92
                                                        Function 02BF2860 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32(?,?,02BE2304), ref: 02BF2862
                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,08000004,00000000,00008780,?), ref: 02BF288E
                                                        • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,?,02BE2304), ref: 02BF28AB
                                                        • GetCommandLineA.KERNEL32(00000080,?,?,02BE2304), ref: 02BF28BB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$CommandCreateCurrentLineMappingProcessView
                                                        • String ID: %d.themm
                                                        • API String ID: 3129219905-3378980812
                                                        • Opcode ID: 2f570ccb7921510cd66538b125917c792b6c1a2f4573ad12581fd58ab5404902
                                                        • Instruction ID: d99682e1f1d5428164ef4191e102a494b4bd6d882efcafd50a4996af0491fe42
                                                        • Opcode Fuzzy Hash: 2f570ccb7921510cd66538b125917c792b6c1a2f4573ad12581fd58ab5404902
                                                        • Instruction Fuzzy Hash: 3CF09071AC03107BE61467A0DC0AF9A335CAB48711F244B19FB43FA1C0DBF4A4948B99
                                                        Function 02C439D3 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStartupInfoA.KERNEL32(?), ref: 02C43A2C
                                                        • GetFileType.KERNEL32(00000800), ref: 02C43AD2
                                                        • GetStdHandle.KERNEL32(-000000F6), ref: 02C43B2B
                                                        • GetFileType.KERNELBASE(00000000), ref: 02C43B39
                                                        • SetHandleCount.KERNEL32 ref: 02C43B70
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileHandleType$CountInfoStartup
                                                        • String ID:
                                                        • API String ID: 1710529072-0
                                                        • Opcode ID: f6306aa3063ddaa01dc43cdd0c248774ab753b986b971cd73cd7a26596d1356f
                                                        • Instruction ID: b7d9a5703a1b189861fbaa71746c7875aa467c7aa6c8c693c59293fab8a59b58
                                                        • Opcode Fuzzy Hash: f6306aa3063ddaa01dc43cdd0c248774ab753b986b971cd73cd7a26596d1356f
                                                        • Instruction Fuzzy Hash: 31518671AC43918BC3209B28C88C7677BA0FB81734F2947A9D8A6CB2D1DF70D558CB11
                                                        Function 002012B0 Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002012CA
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002012F2
                                                        • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,?,000000FF,00000000,00000000), ref: 00201301
                                                        • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,00000000), ref: 00201324
                                                        • SysAllocString.OLEAUT32(00000000), ref: 00201327
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404252170.0000000000201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00200000, based on PE: true
                                                        • Associated: 00000001.00000002.1404227563.0000000000200000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404302566.0000000000204000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404321269.0000000000205000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404340131.0000000000207000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_200000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiVariableWide$AllocString
                                                        • String ID:
                                                        • API String ID: 3008725509-0
                                                        • Opcode ID: 42f69ab3e96d8b76565f0a481b76d9fcab295397ea688745ffa3a9b9a93b07a2
                                                        • Instruction ID: cbdd5470ff0a8a2993a36cc8f472d908cbf0a10ffd58571d797064ab26fdcc4c
                                                        • Opcode Fuzzy Hash: 42f69ab3e96d8b76565f0a481b76d9fcab295397ea688745ffa3a9b9a93b07a2
                                                        • Instruction Fuzzy Hash: C901FE717443047FFB2856699C0BF7BBA5DCB45770F200329FB28D72E1D9A16D104565
                                                        Function 02C0D800 Relevance: 7.5, APIs: 5, Instructions: 34threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(02C66CF4,00000000,00000000,00000002), ref: 02C0D814
                                                        • GetCurrentThread.KERNEL32 ref: 02C0D817
                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 02C0D81E
                                                        • DuplicateHandle.KERNELBASE(00000000), ref: 02C0D821
                                                        • GetCurrentThreadId.KERNEL32 ref: 02C0D83C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread$DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 4285418203-0
                                                        • Opcode ID: 58fcd6beabb61507d719a5c8a32e6dd2cd1eae9f2c3a53faf7aa2b3747ecc227
                                                        • Instruction ID: 87a3e735d15e9efac63c92de5676aed600703638b642c1faad8d4bea63709867
                                                        • Opcode Fuzzy Hash: 58fcd6beabb61507d719a5c8a32e6dd2cd1eae9f2c3a53faf7aa2b3747ecc227
                                                        • Instruction Fuzzy Hash: B3F0B2B1E80711AFDB209FA5984DF077BE9EF48751F148E2AF545D7240C674A4548FA0
                                                        Function 02DEA4CB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DEA4D0
                                                        • GetVolumeInformationA.KERNELBASE(c:\,?,00000104,?,?,?,?,00000104,?,02DFC788,00000000), ref: 02DEA601
                                                        • GetComputerNameA.KERNEL32(?,?), ref: 02DEA633
                                                          • Part of subcall function 02DE9564: LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,00000000,02DFC788,00000000), ref: 02DE9585
                                                          • Part of subcall function 02DE9564: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02DE959C
                                                          • Part of subcall function 02DE9564: FreeLibrary.KERNEL32(00000000), ref: 02DE964F
                                                          • Part of subcall function 02DE9564: LoadLibraryA.KERNEL32(netapi32.dll), ref: 02DE9676
                                                          • Part of subcall function 02DE9564: GetProcAddress.KERNEL32(00000000,Netbios), ref: 02DE968D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Library$AddressLoadProc$ComputerFreeH_prologInformationNameVolume
                                                        • String ID: c:\
                                                        • API String ID: 2914532320-4070862797
                                                        • Opcode ID: 8e10f8b0593f1b95cd42be87105ba94ac004211262ad49b2b683734fe655cd17
                                                        • Instruction ID: 3d61c2c321f8b17e072736f2cb91096e21910811c3a18ad39e57699a097e6e3f
                                                        • Opcode Fuzzy Hash: 8e10f8b0593f1b95cd42be87105ba94ac004211262ad49b2b683734fe655cd17
                                                        • Instruction Fuzzy Hash: 7071F8B2D0025ADFDF10EFE4D984AEEBBB9BB08314F54416AE516A7241DB709E44CF60
                                                        Function 02DEA33D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DEA342
                                                        • GetVolumeInformationA.KERNELBASE(c:\,?,00000104,?,?,?,?,00000104,02DFC788,00000000), ref: 02DEA417
                                                        • GetComputerNameA.KERNEL32(?,00000008), ref: 02DEA44A
                                                          • Part of subcall function 02DEA2AB: __EH_prolog.LIBCMT ref: 02DEA2B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prolog$ComputerInformationNameVolume
                                                        • String ID: c:\
                                                        • API String ID: 3087783462-4070862797
                                                        • Opcode ID: bc95b063a81917cb7e0c790deb9f6f05e14dba07378ebab88b026b7662dd4b95
                                                        • Instruction ID: e080a02e04149afe7565bf36250e323f64fefc5407ef9b0f2a11bba46d514f4c
                                                        • Opcode Fuzzy Hash: bc95b063a81917cb7e0c790deb9f6f05e14dba07378ebab88b026b7662dd4b95
                                                        • Instruction Fuzzy Hash: 5A51467190014E9ACF15EFE4D844ADEBBBCFF08314F14855AE916A7240D7749E44CF60
                                                        Function 02C01850 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(?,00000001,00000000,?,?,?,?,?,02C4C5F0,000000FF), ref: 02C01884
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,02C4C5F0,000000FF), ref: 02C01972
                                                        Strings
                                                        • DuplicateHandle sproc=%x h=%x tproc=%x inher=%x options=%x (duplicating compressed file handle!), xrefs: 02C018B7
                                                        • DuplicateHandle sproc=%x h=%x tproc=%x inher=%x options=%x -> ret=%x new=%x, xrefs: 02C0199C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CurrentDuplicateHandleProcess
                                                        • String ID: DuplicateHandle sproc=%x h=%x tproc=%x inher=%x options=%x (duplicating compressed file handle!)$DuplicateHandle sproc=%x h=%x tproc=%x inher=%x options=%x -> ret=%x new=%x
                                                        • API String ID: 1009649615-3094387979
                                                        • Opcode ID: 79b619486f7f8157d75243b210e3c6395eb52297527204826bf1bd562638ccb5
                                                        • Instruction ID: aab88b34a214c8272fd547f32c568b00fcb66e47445fd0b15f488b728fc07012
                                                        • Opcode Fuzzy Hash: 79b619486f7f8157d75243b210e3c6395eb52297527204826bf1bd562638ccb5
                                                        • Instruction Fuzzy Hash: 94415175604340AFD314DB14C8C0F6BBBA9EFC5768F190A1DF99953290D771EA44CBA2
                                                        Function 02BFFC30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02BFF9B0: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?), ref: 02BFFA24
                                                          • Part of subcall function 02BFF9B0: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02BFFACC
                                                        • WriteFile.KERNELBASE(?,?,?,?,?), ref: 02BFFC6A
                                                        • GetLastError.KERNEL32 ref: 02BFFCD7
                                                        Strings
                                                        • WriteFile h=%x sz=%x lpBuffer='%s'(extern) -> %x (%x written, er=%x) , xrefs: 02BFFCF3
                                                        • ?, xrefs: 02BFFCCD
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$Write$ErrorLastPointer
                                                        • String ID: ?$WriteFile h=%x sz=%x lpBuffer='%s'(extern) -> %x (%x written, er=%x)
                                                        • API String ID: 3001789091-4048506011
                                                        • Opcode ID: d92203006b9062d08bf9e2878b15dc27e4f7550a93d886e4f673c919da21f85a
                                                        • Instruction ID: 617836c0c62a7bf2ae1665dd81a091026a892bd5ac90bbe8fbf3e3c48a80de4b
                                                        • Opcode Fuzzy Hash: d92203006b9062d08bf9e2878b15dc27e4f7550a93d886e4f673c919da21f85a
                                                        • Instruction Fuzzy Hash: EA218F716083545FC708DA5998809BFF7E9EBC9704F50486DFA8183741D771E909CBA2
                                                        Function 02BFC920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(psapi.dll), ref: 02BFC9A9
                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 02BFC9BA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: EnumProcessModules$psapi.dll
                                                        • API String ID: 2574300362-2923372927
                                                        • Opcode ID: aa73642238705e1e2ce8874f5eb111b3b70bc0ab30a94bc4e5092840f2680d61
                                                        • Instruction ID: ea09c9e5f19abe6b0e95f8bab0af6d5f98ae5f9693c53c7cac2dc07aebad1d87
                                                        • Opcode Fuzzy Hash: aa73642238705e1e2ce8874f5eb111b3b70bc0ab30a94bc4e5092840f2680d61
                                                        • Instruction Fuzzy Hash: 5411B4B09843929BD751DF24C408716BFE8EB44B10F148BAAE99A87390D77884D8CB92
                                                        Function 02C0C9F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 02C0CA3A
                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,08000004,00000000,00000008,?), ref: 02C0CA65
                                                        • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,?,?,?,000000FF,02BE22FF), ref: 02C0CA7B
                                                          • Part of subcall function 02C0D8A0: RtlInitializeCriticalSection.NTDLL(00000004), ref: 02C0D8B5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$CreateCriticalCurrentInitializeMappingProcessSectionView
                                                        • String ID: %d.thmst
                                                        • API String ID: 3643651264-2002706795
                                                        • Opcode ID: d066ccf8eb23ed4bd4001bdd88abb64454334b0e46e3d86f1aabb2d9de1637be
                                                        • Instruction ID: 28d871eaf19b391b734ea070600c031c4feacabb6e969287950fb25450e08c0f
                                                        • Opcode Fuzzy Hash: d066ccf8eb23ed4bd4001bdd88abb64454334b0e46e3d86f1aabb2d9de1637be
                                                        • Instruction Fuzzy Hash: 3E1186B0AC0741ABE754EF29DC4AB1A77D8AB84B10F108B29F656EB2D0DBB4D104CB55
                                                        Function 02C0B5A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(shfolder.dll), ref: 02C0B5B4
                                                        • GetProcAddress.KERNEL32(02C66BD0,SHGetFolderPathA), ref: 02C0B5C9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: SHGetFolderPathA$shfolder.dll
                                                        • API String ID: 2574300362-1468015651
                                                        • Opcode ID: 728631a48b1c6a2c412269c9b30e10bc8389ef52acd5ace0dfe5b754aa834b01
                                                        • Instruction ID: 62e3e20679fd0fd53f90be6b5c696dc64d76783b2811aaf834e15f3167417291
                                                        • Opcode Fuzzy Hash: 728631a48b1c6a2c412269c9b30e10bc8389ef52acd5ace0dfe5b754aa834b01
                                                        • Instruction Fuzzy Hash: F9F09C746443016BF724DB64DC95FB73398BBC0B04F544D18E988C7180FBB4DA549755
                                                        Function 02DE9E09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(?,?,?), ref: 02DE9E19
                                                        • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,00000001,?,02DE9D7C,80000002,?,?,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s,?), ref: 02DE9E3A
                                                        • RegCloseKey.KERNELBASE(?,?,02DE9D7C,80000002,?,?,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s,?), ref: 02DE9E4A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: %s.%d
                                                        • API String ID: 1818849710-645285463
                                                        • Opcode ID: 8f0ffe2266be7b349fe070241a44a217efa0de1a881b42d2d7732deb5d98b15e
                                                        • Instruction ID: 8615ac8d36af68c5c61f940a9ad6f554a9c43cceb27438c04b3e10b9485e631a
                                                        • Opcode Fuzzy Hash: 8f0ffe2266be7b349fe070241a44a217efa0de1a881b42d2d7732deb5d98b15e
                                                        • Instruction Fuzzy Hash: C2F0FE32241118BBDF216E51EC04AEB3F2EEB00661F108020FB2A95560D772CD20DB94
                                                        Function 02C07270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,000000FF,02C0ED6B,?,?,?,?,00000000,?,02C4CAD8,000000FF,02C0ED6B,?,?,00000040,?), ref: 02C0729D
                                                        Strings
                                                        • |loader|modifying %s page protection at %08x - %08x (%d bytes), newProtect=0x%x -> %x, xrefs: 02C0730D
                                                        • |loader|modifying unknown page protection at %08x - %08x (%d bytes), newProtect=0x%x -> %x, xrefs: 02C072E5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: |loader|modifying %s page protection at %08x - %08x (%d bytes), newProtect=0x%x -> %x$|loader|modifying unknown page protection at %08x - %08x (%d bytes), newProtect=0x%x -> %x
                                                        • API String ID: 544645111-1112413151
                                                        • Opcode ID: b6f1231fe58ee8732268967ba847108ca4c0a37010a8530ae292b59a587c9291
                                                        • Instruction ID: ad8bfe44ffeb4b863e7a43a0643474fd56dc98d33a06ba322b8eb199c9bf6469
                                                        • Opcode Fuzzy Hash: b6f1231fe58ee8732268967ba847108ca4c0a37010a8530ae292b59a587c9291
                                                        • Instruction Fuzzy Hash: 3F21A175544341AFE210DF15CC40F6BBBECEFC9718F144A6DF89993240D731AA46CAA2
                                                        Function 02C055E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02BEB7D0: GetEnvironmentVariableA.KERNEL32(THNOCMDLN,?,00000002,?,000000FF,02C055EA,02BE2428,?,?,?,?,?,00000000,00000000,?), ref: 02BEB805
                                                          • Part of subcall function 02BF1190: GetProcAddress.KERNEL32(02C6610C,GetLongPathNameA), ref: 02BF11AB
                                                          • Part of subcall function 02C040E0: GetFileAttributesA.KERNELBASE(02C661AC), ref: 02C04104
                                                          • Part of subcall function 02C06D10: SetUnhandledExceptionFilter.KERNEL32(02C06BE0,?,?,?,?,?,?,02C05635,02BE2428,?,?,?,?,?,00000000,00000000), ref: 02C06DCE
                                                        • LoadLibraryA.KERNEL32(wsock32.dll), ref: 02C376A7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressAttributesEnvironmentExceptionFileFilterLibraryLoadProcUnhandledVariable
                                                        • String ID: c:\tmp\remote_loadd.dll$wsock32.dll
                                                        • API String ID: 3553348802-907105155
                                                        • Opcode ID: 7f3acad010e3b0b93091f4ca9a780c2ee7e8ace929092679cc1f6b21d4001835
                                                        • Instruction ID: abaa3915f8e156d7eb6b840e44b59efdb3316449c476ed299c11a2a749683a47
                                                        • Opcode Fuzzy Hash: 7f3acad010e3b0b93091f4ca9a780c2ee7e8ace929092679cc1f6b21d4001835
                                                        • Instruction Fuzzy Hash: 920149B08402401BEB127BF99946B6E726B9F40388F940FA0E61B951D0DF34C19C9D73
                                                        Function 02C09210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProfileStringA.KERNEL32(?,?,?,?,?), ref: 02C0922D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ProfileString
                                                        • String ID: GetProfileStringA %s %s %s %d -> %x (%s)$NULL
                                                        • API String ID: 1468043044-299700256
                                                        • Opcode ID: 69e8906ef6dbc2339bb617bb3c41b3e048db1e1ebb6b875978e88a8f143ceb80
                                                        • Instruction ID: 4888ac25f06b64088202e02a7da7f3fa77a1a8905a112ee71f43dca72d594bd3
                                                        • Opcode Fuzzy Hash: 69e8906ef6dbc2339bb617bb3c41b3e048db1e1ebb6b875978e88a8f143ceb80
                                                        • Instruction Fuzzy Hash: 8CF01D726053156F9220DE4ADD84E6BBBECDBC9AA4F040559F984A3201C631ED44CBB2
                                                        Function 02DE5FE2 Relevance: 4.6, APIs: 3, Instructions: 71timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE5FE7
                                                          • Part of subcall function 02DE5A92: __EH_prolog.LIBCMT ref: 02DE5A97
                                                          • Part of subcall function 02DE8DF7: __EH_prolog.LIBCMT ref: 02DE8DFC
                                                          • Part of subcall function 02DE5B38: __EH_prolog.LIBCMT ref: 02DE5B3D
                                                          • Part of subcall function 02DE60E0: GetSystemTime.KERNEL32(?,02DFC810,02DFC7B0,00000000), ref: 02DE60F5
                                                          • Part of subcall function 02DE60E0: SystemTimeToFileTime.KERNEL32(?,?), ref: 02DE6103
                                                          • Part of subcall function 02DE60E0: FileTimeToSystemTime.KERNEL32(02DE605D,?), ref: 02DE6188
                                                          • Part of subcall function 02DE60E0: FileTimeToSystemTime.KERNEL32(02DE6055,?), ref: 02DE6195
                                                          • Part of subcall function 02DE60E0: FileTimeToSystemTime.KERNEL32(?,?), ref: 02DE61A2
                                                          • Part of subcall function 02DE60E0: SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,02DFC7F4), ref: 02DE61B1
                                                          • Part of subcall function 02DE60E0: SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 02DE61D5
                                                        • GetSystemTime.KERNEL32(?,?,02DFC7B0), ref: 02DE609E
                                                        • SystemTimeToFileTime.KERNEL32(?,02DFC7B8,?,02DFC7B0), ref: 02DE60AD
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Time$System$File$H_prolog$LocalSpecific
                                                        • String ID:
                                                        • API String ID: 3896317126-0
                                                        • Opcode ID: 6e898b93bc7f7e2d37b8a0062b2403282db123c663a5100f9235350dcf5fadf1
                                                        • Instruction ID: f592e778312e4a4ea6594b1ceffca245ae036e3d425544c7a43d7e8a5f8aaba4
                                                        • Opcode Fuzzy Hash: 6e898b93bc7f7e2d37b8a0062b2403282db123c663a5100f9235350dcf5fadf1
                                                        • Instruction Fuzzy Hash: EE219571D60108ABDB91FB64EC05A9F7B7AEB14358F50051AE216E2790D7306D34DB6C
                                                        Function 02C2FAD0 Relevance: 4.6, APIs: 3, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentVariableW.KERNEL32(?,?,?), ref: 02C2FB00
                                                        • GetEnvironmentVariableA.KERNEL32(00000000), ref: 02C2FB4C
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,?), ref: 02C2FB7A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentVariable$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 2184640988-0
                                                        • Opcode ID: e4d3c8a0f91c072d1a7919232432406ea182006a30681c368ce8009ecf9f7a3c
                                                        • Instruction ID: 9675a3d859dc348a5c0913986c2633b3af887ecb33e90ccabfd7847597b9565b
                                                        • Opcode Fuzzy Hash: e4d3c8a0f91c072d1a7919232432406ea182006a30681c368ce8009ecf9f7a3c
                                                        • Instruction Fuzzy Hash: 7811A275604341ABD210DB24CC45F2BB7A9FBC8B64F004B1CF995933C0DB34E908CA62
                                                        Function 02DE5CEE Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE5CF3
                                                          • Part of subcall function 02DE8DF7: __EH_prolog.LIBCMT ref: 02DE8DFC
                                                          • Part of subcall function 02DE586F: GetSystemTime.KERNEL32(?,02DFC7B0,?,02DE5B4F,02DFC7B0,00000000), ref: 02DE587C
                                                          • Part of subcall function 02DE586F: SystemTimeToFileTime.KERNEL32(?,000002BC,?,02DE5B4F,02DFC7B0,00000000), ref: 02DE5887
                                                          • Part of subcall function 02DE5B38: __EH_prolog.LIBCMT ref: 02DE5B3D
                                                          • Part of subcall function 02DE60E0: GetSystemTime.KERNEL32(?,02DFC810,02DFC7B0,00000000), ref: 02DE60F5
                                                          • Part of subcall function 02DE60E0: SystemTimeToFileTime.KERNEL32(?,?), ref: 02DE6103
                                                          • Part of subcall function 02DE60E0: FileTimeToSystemTime.KERNEL32(02DE605D,?), ref: 02DE6188
                                                          • Part of subcall function 02DE60E0: FileTimeToSystemTime.KERNEL32(02DE6055,?), ref: 02DE6195
                                                          • Part of subcall function 02DE60E0: FileTimeToSystemTime.KERNEL32(?,?), ref: 02DE61A2
                                                          • Part of subcall function 02DE60E0: SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,02DFC7F4), ref: 02DE61B1
                                                          • Part of subcall function 02DE60E0: SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 02DE61D5
                                                          • Part of subcall function 02DE60E0: SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 02DE61FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Time$System$File$H_prologLocalSpecific
                                                        • String ID: key
                                                        • API String ID: 857372228-2324736937
                                                        • Opcode ID: 55cd9d9743e5273dba6f36f6260c613641cc99819da5b3bc6a901c10dee7a638
                                                        • Instruction ID: b93f213668b2f4d66372cf99ee72da3cdc576cb4b1b8b597e37d776a3279294b
                                                        • Opcode Fuzzy Hash: 55cd9d9743e5273dba6f36f6260c613641cc99819da5b3bc6a901c10dee7a638
                                                        • Instruction Fuzzy Hash: 95614C7180025DDADF21FB90E880BEDB779EF15348F84409AD556A2250DB745F98CF61
                                                        Function 02BE8940 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNELBASE(?), ref: 02BE8996
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID: %s%s
                                                        • API String ID: 4139908857-3252725368
                                                        • Opcode ID: 3677ab9494d9596015c1e6f7ddfabe17213801023fe5021f51939434b19006a1
                                                        • Instruction ID: 7255f4928b3ade27dc962a70ae954d46e5fef924f34d014c1c7ebc1e262ffc8f
                                                        • Opcode Fuzzy Hash: 3677ab9494d9596015c1e6f7ddfabe17213801023fe5021f51939434b19006a1
                                                        • Instruction Fuzzy Hash: A411D5B45083808BDB21DB30C854BFEB7A9EFC9718F440E9CE69613142D7758145CB67
                                                        Function 02DE5B38 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE5B3D
                                                          • Part of subcall function 02DE586F: GetSystemTime.KERNEL32(?,02DFC7B0,?,02DE5B4F,02DFC7B0,00000000), ref: 02DE587C
                                                          • Part of subcall function 02DE586F: SystemTimeToFileTime.KERNEL32(?,000002BC,?,02DE5B4F,02DFC7B0,00000000), ref: 02DE5887
                                                          • Part of subcall function 02DE520B: __EH_prolog.LIBCMT ref: 02DE5210
                                                          • Part of subcall function 02DE9E55: __EH_prolog.LIBCMT ref: 02DE9E5A
                                                          • Part of subcall function 02DE9E55: GetTempPathA.KERNEL32(00000104,?), ref: 02DE9F40
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prologTime$System$FilePathTemp
                                                        • String ID: %s-%d
                                                        • API String ID: 964141749-607189006
                                                        • Opcode ID: 04d8e63ce9dd911f52f0fa3a87165b272e43a91036d4f047783cd0b57e26a9fd
                                                        • Instruction ID: effef2172b8732598d439649b9fbfe41c6aabe27480535d344656f4fa7b2951b
                                                        • Opcode Fuzzy Hash: 04d8e63ce9dd911f52f0fa3a87165b272e43a91036d4f047783cd0b57e26a9fd
                                                        • Instruction Fuzzy Hash: 1A2127B1901248AFDF11EF95D880AEEBB75FF08398F848059E9266A350C7715E04CF61
                                                        Function 02BF0D70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLongPathNameA.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000104,00000000,?), ref: 02BF0D97
                                                        Strings
                                                        • GetLongPathNameA('%s') -> %x (%s), xrefs: 02BF0DF4
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: LongNamePath
                                                        • String ID: GetLongPathNameA('%s') -> %x (%s)
                                                        • API String ID: 82841172-1279362496
                                                        • Opcode ID: 9b387cab7548012469c1ad2f0f867ca50cba4c7f10667b2b4277b4d4c68068b5
                                                        • Instruction ID: 4023964ab635889ce06297e3c38d00bc47dca3a180e8f0f34372341faf338d9a
                                                        • Opcode Fuzzy Hash: 9b387cab7548012469c1ad2f0f867ca50cba4c7f10667b2b4277b4d4c68068b5
                                                        • Instruction Fuzzy Hash: 5F113D75509305AFD350EE19C880A6BB7E8FBC5654F400D5DF98593316D371E909CBE2
                                                        Function 02DE5A92 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE5A97
                                                          • Part of subcall function 02DE9E55: __EH_prolog.LIBCMT ref: 02DE9E5A
                                                          • Part of subcall function 02DE9E55: GetTempPathA.KERNEL32(00000104,?), ref: 02DE9F40
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prolog$PathTemp
                                                        • String ID: key
                                                        • API String ID: 3652545363-2324736937
                                                        • Opcode ID: 99a27e7328b0821aae707476d6566fed9a553079397fec4ecfcf21e099fb32af
                                                        • Instruction ID: 5f3aa8385b99e010ec1955ba4ccce8ac7bf44a52d425ff57c32eee121a379ff1
                                                        • Opcode Fuzzy Hash: 99a27e7328b0821aae707476d6566fed9a553079397fec4ecfcf21e099fb32af
                                                        • Instruction Fuzzy Hash: 6E113AB1D00248AECF01EF99D8905DEBFB5FF086A4F44805AE556A7301C7709E04CFA0
                                                        Function 02C019E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileType.KERNELBASE(?,?,00000001,00000000,?,?,?,02C4C608,000000FF), ref: 02C01A1F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: GetFileType %x -> 0x%x
                                                        • API String ID: 3081899298-4230906800
                                                        • Opcode ID: e9dcb1c533ed8291ae331606ac4f98c6dae26d9e4a6f2ed80a6c866ecb0e61bd
                                                        • Instruction ID: 65dcaeb2e2a28f602cba8fb1e45380e5a14e71455942f5e8a37d7bc18176b0c5
                                                        • Opcode Fuzzy Hash: e9dcb1c533ed8291ae331606ac4f98c6dae26d9e4a6f2ed80a6c866ecb0e61bd
                                                        • Instruction Fuzzy Hash: 9D01C071548341AFD314DF09C850BABFBA4EB89B20F040A2EF99A533D0C7B49548CAA2
                                                        Function 02DE5A3B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE5A40
                                                          • Part of subcall function 02DE520B: __EH_prolog.LIBCMT ref: 02DE5210
                                                          • Part of subcall function 02DE9A81: __EH_prolog.LIBCMT ref: 02DE9A86
                                                          • Part of subcall function 02DE9A81: GetSystemTime.KERNEL32(?,?,03395710,00000000), ref: 02DE9A9B
                                                          • Part of subcall function 02DE9A81: SystemTimeToFileTime.KERNEL32(?,?), ref: 02DE9AAC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prologTime$System$File
                                                        • String ID: %s-%d
                                                        • API String ID: 3708477650-607189006
                                                        • Opcode ID: 2bb4f763f002fce3a5a73bee96bd781e3dca6d65b69e326ed06c0f3a90516efa
                                                        • Instruction ID: 67437076da24ddae36b2afd3f0c7415f46b1b80d9127910753612ac5d70af438
                                                        • Opcode Fuzzy Hash: 2bb4f763f002fce3a5a73bee96bd781e3dca6d65b69e326ed06c0f3a90516efa
                                                        • Instruction Fuzzy Hash: E3F03936940108FBDF12EF90D825BDC7B32EF04798F008504BA265A390C7719B649F50
                                                        Function 02BF5840 Relevance: 3.2, APIs: 2, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryA.KERNEL32(?,00000000,?,00000000,00000000), ref: 02BF595B
                                                        • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000), ref: 02BF5984
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectory
                                                        • String ID:
                                                        • API String ID: 4241100979-0
                                                        • Opcode ID: b2895ec0d36cd5f35807c48229e95f7dd0bf3af75358e573da4aadeb61464391
                                                        • Instruction ID: cdda111394c5145940eec84866e30aa76c771c16a2aefd79db7e15dd8b8e9b27
                                                        • Opcode Fuzzy Hash: b2895ec0d36cd5f35807c48229e95f7dd0bf3af75358e573da4aadeb61464391
                                                        • Instruction Fuzzy Hash: 6D4129608087815BEB758F289840767BBD5DF4A728FA8C8DCDFE547242D334944EC762
                                                        Function 02C41502 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersion.KERNEL32 ref: 02C41528
                                                          • Part of subcall function 02C43CF3: HeapCreate.KERNELBASE(00000000,00001000,00000000,02C41560,00000000), ref: 02C43D04
                                                          • Part of subcall function 02C43CF3: HeapDestroy.KERNEL32 ref: 02C43D43
                                                        • GetCommandLineA.KERNEL32 ref: 02C41576
                                                          • Part of subcall function 02C41606: ExitProcess.KERNEL32 ref: 02C41623
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Heap$CommandCreateDestroyExitLineProcessVersion
                                                        • String ID:
                                                        • API String ID: 1387771204-0
                                                        • Opcode ID: 4ddb66c573704a002c78f6a4a5dd9e258618628f6d1e97ffaee01ad5ac66e52e
                                                        • Instruction ID: 3a26efa479d8737493809bff4ccb0933aa686fc7c6986d9ea38295a3cd4f65f6
                                                        • Opcode Fuzzy Hash: 4ddb66c573704a002c78f6a4a5dd9e258618628f6d1e97ffaee01ad5ac66e52e
                                                        • Instruction Fuzzy Hash: 441184B0D806419FEB04AF65D80DB7ABFA9EF44314F100E69E90597790DF345464EFA1
                                                        Function 02C43CF3 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,02C41560,00000000), ref: 02C43D04
                                                          • Part of subcall function 02C43BAB: GetVersionExA.KERNEL32 ref: 02C43BCA
                                                        • HeapDestroy.KERNEL32 ref: 02C43D43
                                                          • Part of subcall function 02C45173: RtlAllocateHeap.NTDLL(00000000,00000140,02C43D2C), ref: 02C45180
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateCreateDestroyVersion
                                                        • String ID:
                                                        • API String ID: 760317429-0
                                                        • Opcode ID: da9121cc3e141d86ac82f8915571639bc655d69371e02ae4b83170bd69dbe722
                                                        • Instruction ID: afccb6a4545833f77a0896043b06836ab9e1e935fea9245e4fc53fc14fc05c0e
                                                        • Opcode Fuzzy Hash: da9121cc3e141d86ac82f8915571639bc655d69371e02ae4b83170bd69dbe722
                                                        • Instruction Fuzzy Hash: 2AF06D70EA2381AEDB607B316C4973B3A959BD4B91F240E65F400CE094EF70C2D0E902
                                                        Function 02C0CDA0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(02C66BF0), ref: 02C0CDA7
                                                        • RtlLeaveCriticalSection.NTDLL(02C66BF0), ref: 02C0CDF4
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave
                                                        • String ID:
                                                        • API String ID: 3168844106-0
                                                        • Opcode ID: 218ac6869fb546a6e3c9950b6f15e966eedb39cca526db5b82432778007aee93
                                                        • Instruction ID: eeec83ad6f7daa1077bf1611ce186de45661777faf2ab33bb764b3c641a2b1e5
                                                        • Opcode Fuzzy Hash: 218ac6869fb546a6e3c9950b6f15e966eedb39cca526db5b82432778007aee93
                                                        • Instruction Fuzzy Hash: 8CF0B436E41B11BFCB109B2DE88CA963BD9E7843907200B36F801C3350DB38D955CB81
                                                        Function 02DEDA6F Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,02DEC8AD,00000001), ref: 02DEDA80
                                                          • Part of subcall function 02DED927: GetVersionExA.KERNEL32 ref: 02DED946
                                                        • HeapDestroy.KERNEL32 ref: 02DEDABF
                                                          • Part of subcall function 02DEDB74: HeapAlloc.KERNEL32(00000000,00000140,02DEDAA8,000003F8), ref: 02DEDB81
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocCreateDestroyVersion
                                                        • String ID:
                                                        • API String ID: 2507506473-0
                                                        • Opcode ID: 67ec7a367ddeff45f856e613b0909e92e654b5628eb21c42ca4e3b12afee5bfd
                                                        • Instruction ID: 37ecff930c4b10552a073d7ad325ca33ce599167a5bca97b3c9b3f924b17fc98
                                                        • Opcode Fuzzy Hash: 67ec7a367ddeff45f856e613b0909e92e654b5628eb21c42ca4e3b12afee5bfd
                                                        • Instruction Fuzzy Hash: EEF03070E9C2419ADF507B305844B2927AF9B50756F154829E606CA3C0EF608E90DA21
                                                        Function 00201F03 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0020250D: GetModuleHandleW.KERNEL32(00000000,00201ECC), ref: 0020250F
                                                        • _c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00201F15
                                                        • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,00203958,00000014), ref: 00201F44
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404252170.0000000000201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00200000, based on PE: true
                                                        • Associated: 00000001.00000002.1404227563.0000000000200000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404274469.0000000000203000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404302566.0000000000204000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404321269.0000000000205000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                        • Associated: 00000001.00000002.1404340131.0000000000207000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_200000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: HandleModule_c_exit_exit
                                                        • String ID:
                                                        • API String ID: 750871209-0
                                                        • Opcode ID: 076919d0c281c67849e5073a25b05408a4c6f29704017732b21b85505e0a59e2
                                                        • Instruction ID: 8c730910b3083f3a0628a9c04fb15555101ad918074ec15392d010a67b64f734
                                                        • Opcode Fuzzy Hash: 076919d0c281c67849e5073a25b05408a4c6f29704017732b21b85505e0a59e2
                                                        • Instruction Fuzzy Hash: BFE04F3591435A8BCF259F94D80A3DCB771FB40324F104166D511236D2D7251824CA54
                                                        Function 02C07100 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlSizeHeap.NTDLL(?,00000000,?), ref: 02C0710E
                                                        • RtlFreeHeap.NTDLL(02C66A9C,00000000,?), ref: 02C0712B
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeSize
                                                        • String ID:
                                                        • API String ID: 190658663-0
                                                        • Opcode ID: 2ef200af13d93119bde85fc4cb5eb3b4a4926ab888b8cfd0ff52276e0e520caa
                                                        • Instruction ID: c50446e050fc6a6c1c8973bef4efba18bde2a6f4654ab1fb02f81b3c8be210f6
                                                        • Opcode Fuzzy Hash: 2ef200af13d93119bde85fc4cb5eb3b4a4926ab888b8cfd0ff52276e0e520caa
                                                        • Instruction Fuzzy Hash: D3D012719D52217BD6105755AC09F973B1CEF45311F204A01F50AA6181C665A8908BA1
                                                        Function 02C07105 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlSizeHeap.NTDLL(?,00000000,?), ref: 02C0710E
                                                        • RtlFreeHeap.NTDLL(02C66A9C,00000000,?), ref: 02C0712B
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeSize
                                                        • String ID:
                                                        • API String ID: 190658663-0
                                                        • Opcode ID: 01340981146d235e4c398736f90130e17d7bf9222a36bfb628250908e5832c80
                                                        • Instruction ID: 9c476082e97772f6e59fbe21151e629a651d845ea06fb2846ec79b367b761255
                                                        • Opcode Fuzzy Hash: 01340981146d235e4c398736f90130e17d7bf9222a36bfb628250908e5832c80
                                                        • Instruction Fuzzy Hash: 53D05E719D52207BD6105711AC09FA73A1CEF45312F100A01B50AA61C0CA61A8908AE1
                                                        Function 02DEB51D Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,02DECCE9,751309F0,02DFDF48,00000000,02DECCF8,02DECCF8), ref: 02DEB604
                                                          • Part of subcall function 02DECCD8: InitializeCriticalSection.KERNEL32(00000000,751309F0,02DFDF48,?,02DEBDB9,00000013), ref: 02DECD15
                                                          • Part of subcall function 02DECCD8: EnterCriticalSection.KERNEL32(02DFDF48,02DFDF48,?,02DEBDB9,00000013), ref: 02DECD30
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                        • String ID:
                                                        • API String ID: 1616793339-0
                                                        • Opcode ID: 7eb02bff1a8a161d9822607a68959f88c73c2ce96ec9859db14a6121be7c51c2
                                                        • Instruction ID: ca08c642aaadb7501b3dd58054d36dee1a00b420624f0536cef4ce9f64e4d312
                                                        • Opcode Fuzzy Hash: 7eb02bff1a8a161d9822607a68959f88c73c2ce96ec9859db14a6121be7c51c2
                                                        • Instruction Fuzzy Hash: C6218E32A40245ABDF10FB69D841B9EBBA8FB01768F104516E522EB7C0C774FD41CEA8
                                                        Function 02BE949E Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNELBASE(?,?,?,00000000,00000000,?,00000000,?,00000001,?,00000000,?,00000000,?,00000000), ref: 02BE94BF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: b59b974c372518eb81647cfc8c8c20b55d06cd957e6638ac930a419d50a0d35f
                                                        • Instruction ID: 4bae7dffbb1194f03f57f5017ed3083fd29873e38f928d547541343693c56692
                                                        • Opcode Fuzzy Hash: b59b974c372518eb81647cfc8c8c20b55d06cd957e6638ac930a419d50a0d35f
                                                        • Instruction Fuzzy Hash: 99018B71109781AFCB14EF2498907AEB7E1AF85718F4059ADF49282281E771C489CB63
                                                        Function 02DE5124 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 02DE5129
                                                          • Part of subcall function 02DE34FD: __EH_prolog.LIBCMT ref: 02DE3502
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: e17c67c25d9fbcbf04d23c96530435a548e851b4fcc65a1a8cf535e20de6a999
                                                        • Instruction ID: 92cda7abda0db1c55684aff6d0da29969a013c4d1d74fb4e056ed37601769458
                                                        • Opcode Fuzzy Hash: e17c67c25d9fbcbf04d23c96530435a548e851b4fcc65a1a8cf535e20de6a999
                                                        • Instruction Fuzzy Hash: ED01697180024DABDF01FF94DC00BEE7BB9FF08358F504446F951A2280D7B0AA14CBA0
                                                        Function 02BFE88C Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNELBASE(00000000,?,?), ref: 02BFE8C1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 3ca2b0e4266d25e2c95f11eebb48b337baddd7007327a7202eba6e57c8076b43
                                                        • Instruction ID: 0008674156b0ed4d105b3fc820a5f9d54915e854d96f1569f315fe10f2a48a75
                                                        • Opcode Fuzzy Hash: 3ca2b0e4266d25e2c95f11eebb48b337baddd7007327a7202eba6e57c8076b43
                                                        • Instruction Fuzzy Hash: 22F0E576344244ABE620EA04EC85FFB7358EBC5761F00491EFA8443141C777B419D7B2
                                                        Function 02DE197D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1405131893.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02DE0000, based on PE: true
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFB000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        • Associated: 00000001.00000002.1405131893.0000000002DFE000.00000040.10000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2de0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: 3afc4990f29b204183c0661ff417997e14f7993b46815c0b1996b3cf0de3f644
                                                        • Instruction ID: b790c61c43ee1a62d0ef4c705083107f029711597664de19b7d7a6df7a4ad91a
                                                        • Opcode Fuzzy Hash: 3afc4990f29b204183c0661ff417997e14f7993b46815c0b1996b3cf0de3f644
                                                        • Instruction Fuzzy Hash: 4EF0F4B2A10B149FC724DF58D44075AB7F4EB18725F008A1EA4AAC3B40C3B4AA44CF94
                                                        Function 02C11B10 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 02C11B28
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: 18d3e4f8d86e29452797611a7cde4042d19bc0cef02825062f41b4bb6a61c54a
                                                        • Instruction ID: 8e2f02795aa0544af642fd44039cd7cb6e485a88fe17800962506a3524d42e13
                                                        • Opcode Fuzzy Hash: 18d3e4f8d86e29452797611a7cde4042d19bc0cef02825062f41b4bb6a61c54a
                                                        • Instruction Fuzzy Hash: 93E0B676608310AFD354CB58C884F6BB3E8EB88310F00C91EB5AA83640D670F8448B51
                                                        Function 02C11B80 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 02C11B98
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 21271115f45ccce1580d34195f1ac47c00da60529f4b83401f6d5c8b1000a2ca
                                                        • Instruction ID: 0b8657633f7b78d694893f69c87fc96e8dd8307db7b837cc31ff33f21309c0a7
                                                        • Opcode Fuzzy Hash: 21271115f45ccce1580d34195f1ac47c00da60529f4b83401f6d5c8b1000a2ca
                                                        • Instruction Fuzzy Hash: 19D05EB1640721AFD320CA28C940F53B3E8EB48700F048C1EB65AD3540D370E880CB50
                                                        Function 02BE1000 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C41AB4,02C50730,000000FF), ref: 02BE100D
                                                          • Part of subcall function 02BE2210: GetModuleHandleA.KERNEL32(00000000), ref: 02BE2238
                                                          • Part of subcall function 02BE2210: ExitProcess.KERNEL32 ref: 02BE2276
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: HandleModule$ExitProcess
                                                        • String ID:
                                                        • API String ID: 1584744360-0
                                                        • Opcode ID: a31c3aaa96c82d0224fd700f376b2301eff121f4f33144ec2f3422745d5d0df9
                                                        • Instruction ID: f7c23102a095b080a289ec1a3c188cc6515815653bfb43b54ea9b3af4f964210
                                                        • Opcode Fuzzy Hash: a31c3aaa96c82d0224fd700f376b2301eff121f4f33144ec2f3422745d5d0df9
                                                        • Instruction Fuzzy Hash: 45D067B5449301AFD300EF54D54975BBAE4BB84708F50894DE88996292D7F682988BE3
                                                        Function 02BE97EF Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 84eaef5891b4796ff779014e38caa8cafabe3cf7db0e9f3cf62c5d9b5bcb5c7a
                                                        • Instruction ID: ce5decf2808c6ecd8480ebbcd862de15058ab7a4b948231c22a679db7e15b9ed
                                                        • Opcode Fuzzy Hash: 84eaef5891b4796ff779014e38caa8cafabe3cf7db0e9f3cf62c5d9b5bcb5c7a
                                                        • Instruction Fuzzy Hash: F0B09235408620868E80EE0CB9456EA3351EF89626F0A09C1F842A6216C311C99A96A6
                                                        Function 02C06F60 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000012,00000040,?,00000040,?,02BF401F,02BF3E22,00000000,00004000,00101000,00000040,|APISPYA| %x:%s:%s,02BF401F,00000012), ref: 02C06F76
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 03302356a8c9f6b7fc2d2eae390e8e53bedec1b2fdfc8cfc1398f051820a2c7d
                                                        • Instruction ID: 1dabcce5f259c976f07f992ae9617116995662cf39dc8bbb73cb1f76f19987fc
                                                        • Opcode Fuzzy Hash: 03302356a8c9f6b7fc2d2eae390e8e53bedec1b2fdfc8cfc1398f051820a2c7d
                                                        • Instruction Fuzzy Hash: 38E0EC7A6043617BC210DA55AC44E6BB7A9EFC5B11F054A1DF94493340D670DD059AB2
                                                        Function 02C11BD0 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C11A70: UnmapViewOfFile.KERNEL32(?), ref: 02C11A7B
                                                          • Part of subcall function 02C11A70: CloseHandle.KERNEL32(?), ref: 02C11A8D
                                                        • CloseHandle.KERNELBASE(?,?,02C11AF8), ref: 02C11BE7
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle$FileUnmapView
                                                        • String ID:
                                                        • API String ID: 260491571-0
                                                        • Opcode ID: 8f288e927a55fbcecce12e1c447ab5f417bca1a41510f4763e6ccc74773d6276
                                                        • Instruction ID: c44a6605198dfb9fcff249f437475c3d927030b083ac15a692319914a581cc2b
                                                        • Opcode Fuzzy Hash: 8f288e927a55fbcecce12e1c447ab5f417bca1a41510f4763e6ccc74773d6276
                                                        • Instruction Fuzzy Hash: 49D012B054563087C6241F6CA50484A76E46E4A3203240F9DF8A9D32D0D7B4DDC19B54

                                                        Non-executed Functions

                                                        Function 02C01309 Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 530fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 02C01186
                                                        • FindClose.KERNEL32(00000000), ref: 02C01194
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 02C0133A
                                                        • FindClose.KERNEL32(00000000), ref: 02C01345
                                                        • SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 02C01462
                                                        • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 02C015E0
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 02C01683
                                                        • CloseHandle.KERNEL32(?), ref: 02C01737
                                                        • CloseHandle.KERNEL32(?,?,?,?,?), ref: 02C01750
                                                        Strings
                                                        • Extracting %s..., xrefs: 02C0124E
                                                        • While extracting %s, failed to read from %s, xrefs: 02C015FA
                                                        • Write failed while extracting %sDisk space may be full, xrefs: 02C016A0
                                                        • Unable to extract '%s'Write Permission denied, xrefs: 02C013A0
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$CloseFind$FirstHandle$PointerReadWrite
                                                        • String ID: Extracting %s...$Unable to extract '%s'Write Permission denied$While extracting %s, failed to read from %s$Write failed while extracting %sDisk space may be full
                                                        • API String ID: 3823046381-2211878283
                                                        • Opcode ID: 67714de8ddd1baac9726add0f7a66097131f272d82a60b9289b8af0caed48c0c
                                                        • Instruction ID: 2f9a88dbb4c21ac091ad29f59b21e339826b6b2a1f6d0c7149c2534c54407800
                                                        • Opcode Fuzzy Hash: 67714de8ddd1baac9726add0f7a66097131f272d82a60b9289b8af0caed48c0c
                                                        • Instruction Fuzzy Hash: F8126E715083419FDB25DF64C890B6BB7E9AFC8704F084A1DF98A97281D7B0EA45CB92
                                                        Function 02C09600 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 470fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02BFFE10: GetFileSize.KERNEL32(?,?,?,?,?,?), ref: 02BFFE2F
                                                        • CreateFileMappingA.KERNEL32(000000FF,?,00000040,00000000,?,?), ref: 02C0979D
                                                        • CreateFileMappingA.KERNEL32(000000FF,?,00000004,00000000,?,?), ref: 02C097C3
                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02C097E3
                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 02C098C8
                                                        • CreateFileMappingA.KERNEL32(000000FF,?,?,?,?,?), ref: 02C099D8
                                                        • GetLastError.KERNEL32 ref: 02C099E0
                                                        • CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02C09A21
                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02C09A37
                                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 02C09A4A
                                                        • SetLastError.KERNEL32(?), ref: 02C09BFF
                                                        Strings
                                                        • (*** failed - %s), xrefs: 02C09B6B
                                                        • CreateFileMappingA/W handle=%x (memory-backed internal) filename='%s' name='%s' -> h=%x %s, xrefs: 02C09BD9
                                                        • gfff, xrefs: 02C09729
                                                        • (success), xrefs: 02C09B30
                                                        • CreateFileMappingA/W handle=%x (SEC_IMAGE internal) filename='%s' name='%s' -> h=%x, xrefs: 02C099A6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$CreateMappingView$CloseErrorHandleLast$SizeUnmap
                                                        • String ID: (*** failed - %s)$(success)$CreateFileMappingA/W handle=%x (SEC_IMAGE internal) filename='%s' name='%s' -> h=%x$CreateFileMappingA/W handle=%x (memory-backed internal) filename='%s' name='%s' -> h=%x %s$gfff
                                                        • API String ID: 292820964-3659829496
                                                        • Opcode ID: d364d577de020ac86524944833b9c9f5fe902587822e249c632d6f397f78732d
                                                        • Instruction ID: e91d3855b91e6f05d58865d22cc55bdbaf3a9a784ff1d37461d8af8d75790827
                                                        • Opcode Fuzzy Hash: d364d577de020ac86524944833b9c9f5fe902587822e249c632d6f397f78732d
                                                        • Instruction Fuzzy Hash: ED024C71608345AFD324DF54C890BABB7E9ABC8714F044A1CFA99972C1DB74E944CBA2
                                                        Function 02C011B4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CompareFileTime.KERNEL32(?,?), ref: 02C011DB
                                                        • CompareFileTime.KERNEL32(?,?), ref: 02C011F5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CompareFileTime
                                                        • String ID: Extracting %s...
                                                        • API String ID: 4282505081-888423579
                                                        • Opcode ID: 22c5bcc9a136c161e9b126e6ec5adabdd7956631bb476c5b50e5af2ef0ee7d5e
                                                        • Instruction ID: cb9fe8bb001ed38b4b167a38185fdbfba4021e17545508075af43072335ba190
                                                        • Opcode Fuzzy Hash: 22c5bcc9a136c161e9b126e6ec5adabdd7956631bb476c5b50e5af2ef0ee7d5e
                                                        • Instruction Fuzzy Hash: 9351A4759083859BC721DF64D884BAAF7E9AFD8304F084E5CE88993281D7B59648CF63
                                                        Function 02BF06D0 Relevance: 7.9, APIs: 5, Instructions: 412fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(0000007B,?,00000000,?,?), ref: 02BF08A2
                                                        • FindFirstFileA.KERNEL32(?,?,?), ref: 02BF0A8E
                                                        • FindClose.KERNEL32(00000000), ref: 02BF0A9E
                                                        • SetLastError.KERNEL32(00000002), ref: 02BF0B86
                                                        • SetLastError.KERNEL32(00000057,?,00000000,?,?), ref: 02BF0B90
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2112191105-0
                                                        • Opcode ID: c9ab36e9093f238fe164fc3d1c00044942bde28ea4c8462784c3c9d7cf0b028f
                                                        • Instruction ID: 7baf65cb43fd607b66a6b5c71f900fbdd356b3cb6b09106c9c9968939b097ec0
                                                        • Opcode Fuzzy Hash: c9ab36e9093f238fe164fc3d1c00044942bde28ea4c8462784c3c9d7cf0b028f
                                                        • Instruction Fuzzy Hash: 7DF1E1745083418FCB64DF28C480A6BB7E5FF89704F084E9DE9D997256E770E90ACB92
                                                        Function 02C2D3A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C2BDC0: GetLastError.KERNEL32(00000000,?,00000000,02C4E858,000000FF,02C2DDF8,00000000,00000014), ref: 02C2BDF9
                                                          • Part of subcall function 02C2BDC0: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02C4EB68,000000FF), ref: 02C2BE46
                                                        • FindResourceA.KERNEL32(00000000), ref: 02C2D3F1
                                                        Strings
                                                        • FindResourceA mod=%x(%s) name=%x type=%x -> %x, xrefs: 02C2D450
                                                        • FindResourceA mod=%x(%s) name=%s type=%x -> %x, xrefs: 02C2D444
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$FindResource
                                                        • String ID: FindResourceA mod=%x(%s) name=%s type=%x -> %x$FindResourceA mod=%x(%s) name=%x type=%x -> %x
                                                        • API String ID: 3602213734-1936814525
                                                        • Opcode ID: 54a5342c86e918695b56936104086cb9e376904247a9b503af1f43f65bd1cce7
                                                        • Instruction ID: 5fb5591f3963509b0d23f4f0e8667b02a471ea73995f6016795c6ff955905bba
                                                        • Opcode Fuzzy Hash: 54a5342c86e918695b56936104086cb9e376904247a9b503af1f43f65bd1cce7
                                                        • Instruction Fuzzy Hash: 132195B59443149FD210DF59D880B5BB7A9FBD9758F000A1CF996A3341DB31EA04CB62
                                                        Function 02C15085 Relevance: 3.2, APIs: 2, Instructions: 190fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 02C150F1
                                                        • FindClose.KERNEL32(00000000), ref: 02C15103
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 087a0bfb106b8fd629ca3dc29c0bdbaf9a0314950912800bb258fbef4f1c6b8d
                                                        • Instruction ID: 45206f0b6c8d6dbe4d5fbfcbc6fcf56c4db8c2c4a6ab05327862843c4e39c039
                                                        • Opcode Fuzzy Hash: 087a0bfb106b8fd629ca3dc29c0bdbaf9a0314950912800bb258fbef4f1c6b8d
                                                        • Instruction Fuzzy Hash: B261C5716047408BCB35CE24CC827AF73D6AFC63A4F944D1DE89A472C0D7749685EB52
                                                        Function 02C02090 Relevance: 1.5, APIs: 1, Instructions: 45fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CopyFileA.KERNEL32(00000000,00000000,?), ref: 02C020ED
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 02f781de12766b83a0090fb6dd6010956aa3096a4932182583bbf977197892bd
                                                        • Instruction ID: eac9f0130c1163a0ef94596915361243aeff5b20198284563b941cf0099de496
                                                        • Opcode Fuzzy Hash: 02f781de12766b83a0090fb6dd6010956aa3096a4932182583bbf977197892bd
                                                        • Instruction Fuzzy Hash: C9F0A4762003007EE220E664DC89FFFB79DDBC5755F00481DFA0886181E6785919D7F2
                                                        Function 02BE1150 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 02BE117F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 6e8da3862cec63d5a25abd563c22116c943376954d582f930992733d194aed0e
                                                        • Instruction ID: 53877584418f2e18755906e6a0a7ec10c835c1ed2f827e953294cd580f6ebf23
                                                        • Opcode Fuzzy Hash: 6e8da3862cec63d5a25abd563c22116c943376954d582f930992733d194aed0e
                                                        • Instruction Fuzzy Hash: 7AF037713103059BEA10CF5EE848B21F7ACFB44679F2487D5E52E8B192D734DC90C655
                                                        Function 02BFD091 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileHandleInformationLast
                                                        • String ID:
                                                        • API String ID: 275135790-0
                                                        • Opcode ID: a0a79a16393ac76fa56e80422311204a25fc556d4ffd90f48ea8bdc17ad9bcdc
                                                        • Instruction ID: afb702b1d43b769f50215775d05f5ea68faf05e4d1cab1960fab0f61beb27812
                                                        • Opcode Fuzzy Hash: a0a79a16393ac76fa56e80422311204a25fc556d4ffd90f48ea8bdc17ad9bcdc
                                                        • Instruction Fuzzy Hash: 8DE01A739042169B8610DE09B840EEFFBB8EFDA660F05082FF950E3100D324D84E86B6
                                                        Function 02BF26A1 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed7dab30b439536798252de3f68a64333082325899e4a4fc54a785ba986fd0a9
                                                        • Instruction ID: b122788e9675d4207ea2db2fcacaa57f2a28694e3c4d99ba52d87cb53164c03d
                                                        • Opcode Fuzzy Hash: ed7dab30b439536798252de3f68a64333082325899e4a4fc54a785ba986fd0a9
                                                        • Instruction Fuzzy Hash: 3BB09280986AC65452662E7404004E0FF320A43936A2873C5EAFA2F2E28B80C186EA39
                                                        Function 02BF36B0 Relevance: 82.6, APIs: 24, Strings: 23, Instructions: 347windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCommandLineA.KERNEL32(?,?,02BE23D6,00000000,02C661E4,02C661AC,00000000,00000000,?), ref: 02BF372F
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF3736
                                                        • MessageBoxA.USER32(00000000,?,Process starting,00000001), ref: 02BF375C
                                                        • GetCommandLineA.KERNEL32 ref: 02BF37BB
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF37C2
                                                        • MessageBoxA.USER32(00000000,?,Process ending,00000001), ref: 02BF37E8
                                                        • GetCommandLineA.KERNEL32 ref: 02BF3847
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF384E
                                                        • MessageBoxA.USER32(00000000,?,Module loading,00000001), ref: 02BF3874
                                                        • GetCommandLineA.KERNEL32 ref: 02BF38D3
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF38DA
                                                        • MessageBoxA.USER32(00000000,?,Module unloading,00000001), ref: 02BF3900
                                                        • GetCommandLineA.KERNEL32 ref: 02BF395F
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF3966
                                                        • MessageBoxA.USER32(00000000,?,DLL_PROCESS_ATTACH,00000001), ref: 02BF398C
                                                        • GetCommandLineA.KERNEL32 ref: 02BF39EB
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF39F2
                                                        • MessageBoxA.USER32(00000000,?,DLL_PROCESS_DETACH,00000001), ref: 02BF3A18
                                                        • GetCommandLineA.KERNEL32 ref: 02BF3A77
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF3A7E
                                                        • MessageBoxA.USER32(00000000,?,DLL_THREAD_ATTACH,00000001), ref: 02BF3AA4
                                                        • GetCommandLineA.KERNEL32 ref: 02BF3AF4
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF3AFB
                                                        • MessageBoxA.USER32(00000000,?,DLL_PROCESS_DETACH,00000001), ref: 02BF3B21
                                                        Strings
                                                        • Module loading, xrefs: 02BF386C
                                                        • Process starting, xrefs: 02BF3754
                                                        • Process ending, xrefs: 02BF37E0
                                                        • |dll_load_start| %s, xrefs: 02BF3802
                                                        • |process_end| %s, xrefs: 02BF3776
                                                        • Calling DLL_PROCESS_ATTACH for %s, xrefs: 02BF391A
                                                        • Process starting: %sProcess ID=0x%x (%d)Command Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF3742
                                                        • Module unloading, xrefs: 02BF38F8
                                                        • |process_start| %s, xrefs: 02BF36EA
                                                        • DLL_PROCESS_ATTACH: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF3972
                                                        • DLL_THREAD_DETACH %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF3B07
                                                        • Calling DLL_THREAD_DETACH for %s, xrefs: 02BF3ABB
                                                        • Calling DLL_THREAD_ATTACH for %s, xrefs: 02BF3A32
                                                        • DLL_THREAD_ATTACH, xrefs: 02BF3A9C
                                                        • |dll_load_end| %s, xrefs: 02BF388E
                                                        • DLL_THREAD_ATTACH %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF3A8A
                                                        • Loading Module: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF385A
                                                        • Calling DLL_PROCESS_DETACH for %s, xrefs: 02BF39A6
                                                        • ExitProcess: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF37CE
                                                        • DLL_PROCESS_DETACH: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF39FE
                                                        • DLL_PROCESS_DETACH, xrefs: 02BF3A10, 02BF3B19
                                                        • DLL_PROCESS_ATTACH, xrefs: 02BF3984
                                                        • Unloading Module: %sProcess ID=0x%x (%d)Command Line=%sPress OK to continue, Cancel to execute breakpoint, xrefs: 02BF38E6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CommandCurrentLineMessageProcess
                                                        • String ID: Calling DLL_PROCESS_ATTACH for %s$Calling DLL_PROCESS_DETACH for %s$Calling DLL_THREAD_ATTACH for %s$Calling DLL_THREAD_DETACH for %s$DLL_PROCESS_ATTACH$DLL_PROCESS_ATTACH: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint$DLL_PROCESS_DETACH$DLL_PROCESS_DETACH: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint$DLL_THREAD_ATTACH$DLL_THREAD_ATTACH %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint$DLL_THREAD_DETACH %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint$ExitProcess: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint$Loading Module: %sProcess ID=0x%xCommand Line=%sPress OK to continue, Cancel to execute breakpoint$Module loading$Module unloading$Process ending$Process starting$Process starting: %sProcess ID=0x%x (%d)Command Line=%sPress OK to continue, Cancel to execute breakpoint$Unloading Module: %sProcess ID=0x%x (%d)Command Line=%sPress OK to continue, Cancel to execute breakpoint$|dll_load_end| %s$|dll_load_start| %s$|process_end| %s$|process_start| %s
                                                        • API String ID: 2116203624-1763466667
                                                        • Opcode ID: 418b95582b9005c22c8e737294c51379837355e0fca24e945f6afb0d76c14b4b
                                                        • Instruction ID: ca4c69883b80398d4de3057c3aed53832477c2b5b2e417576c3ee37b4a9a7093
                                                        • Opcode Fuzzy Hash: 418b95582b9005c22c8e737294c51379837355e0fca24e945f6afb0d76c14b4b
                                                        • Instruction Fuzzy Hash: 05B133719803506BEA80BB64DC56FBB33DDDF04745F040AD8FE02E7142DBA4E598CAA5
                                                        Function 02BF33B0 Relevance: 58.0, APIs: 14, Strings: 19, Instructions: 200filetimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(?,00000000,00000000,?,00000000), ref: 02BF33D7
                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000100,?,00000000), ref: 02BF33F3
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 02BF33FC
                                                        • GetCurrentProcessId.KERNEL32(?,00000000), ref: 02BF3427
                                                        • CreateFileA.KERNEL32(02C66630,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 02BF3486
                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02BF34B9
                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02BF34BC
                                                        • GetVersionExA.KERNEL32(?), ref: 02BF34D1
                                                        • GetCommandLineA.KERNEL32 ref: 02BF35DE
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 02BF35E5
                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 02BF3614
                                                        • GetEnvironmentStrings.KERNEL32 ref: 02BF362F
                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 02BF3662
                                                        • VirtualQuery.KERNEL32(Function_0000DD30,?,0000001C), ref: 02BF3674
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Module$CurrentFile$EnvironmentHandleNameProcessStrings$CommandCreateDirectoryFreeLineQuerySystemTimeVersionVirtual
                                                        • String ID: %s-%s-%x.trace$061018$2.730$3$Current Directory = %s$Logging started for Module=%s Using archive=%s PID=0x%x CommandLine = %s$Thinstall Version %s / %s, Windows %d.%d (%s)$Thinstall loaded at %x-%x$Unknown$Windows 2000$Windows 95$Windows 98$Windows ME$Windows NT 3.51$Windows NT 4.0$Windows Server 2003$Windows XP$Z$|start_env_var| %s
                                                        • API String ID: 913614530-3327784266
                                                        • Opcode ID: b067954d86f0737ea2d0963d48322c988edd427b90e329e5b5b07844672d852a
                                                        • Instruction ID: 38bcc45f03a0cc48e7478f27431962cad08af66632c60e3357f6a16c356e7e95
                                                        • Opcode Fuzzy Hash: b067954d86f0737ea2d0963d48322c988edd427b90e329e5b5b07844672d852a
                                                        • Instruction Fuzzy Hash: EA71D2B05483909FD7609F65C888BABBBE8EF85304F404EACFA9597241D774D588CF52
                                                        Function 02C3A180 Relevance: 49.4, APIs: 16, Strings: 12, Instructions: 427fileprocessthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C39E00: StringFromCLSID.COMBASE(?,?), ref: 02C39E3C
                                                          • Part of subcall function 02C39E00: CoTaskMemFree.COMBASE(?), ref: 02C39E60
                                                        • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 02C3A1FF
                                                        • CloseHandle.KERNEL32(00000000,?,?,vreg-%s,?), ref: 02C3A26A
                                                        • StringFromCLSID.COMBASE(?,?), ref: 02C3A27B
                                                        • CoTaskMemFree.COMBASE(?), ref: 02C3A29C
                                                        • GetStartupInfoA.KERNEL32(?), ref: 02C3A395
                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02C3A450
                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02C3A499
                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,08000004,00000000,00000010,?), ref: 02C3A4F0
                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02C3A504
                                                        • CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,?), ref: 02C3A546
                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,vreg-%s), ref: 02C3A565
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C3A595
                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C3A603
                                                        • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C3A60E
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C3A61B
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C3A61E
                                                        Strings
                                                        • D, xrefs: 02C3A38C
                                                        • vreg-%s, xrefs: 02C3A1C9
                                                        • start_server:%s (already running), xrefs: 02C3A242
                                                        • start_server:running %s for %s, xrefs: 02C3A3CF
                                                        • "%s" -Embedding, xrefs: 02C3A421
                                                        • comlocked-%d, xrefs: 02C3A52F
                                                        • waitid-%d, xrefs: 02C3A4C8
                                                        • start_server:signal received from %s (%s), xrefs: 02C3A661
                                                        • start_server:waiting for singal from %s (%s), xrefs: 02C3A5D3
                                                        • start_server:server quit without signaling %s (%s), xrefs: 02C3A6F5
                                                        • CLSID\%s\LocalServer32, xrefs: 02C3A2B8
                                                        • CLSID\%s\LocalServer, xrefs: 02C3A313
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Create$File$CloseHandle$FreeFromMappingProcessStringTaskView$EventInfoMultipleObjectsOpenResumeSemaphoreStartupThreadUnmapWait
                                                        • String ID: "%s" -Embedding$CLSID\%s\LocalServer$CLSID\%s\LocalServer32$D$comlocked-%d$start_server:%s (already running)$start_server:running %s for %s$start_server:server quit without signaling %s (%s)$start_server:signal received from %s (%s)$start_server:waiting for singal from %s (%s)$vreg-%s$waitid-%d
                                                        • API String ID: 3370908528-757437489
                                                        • Opcode ID: 405271cc705f471922ea9faa7c99ad3bfdcde57b3401bdc111e02f2170a737e2
                                                        • Instruction ID: 5ff2b687c625774780796dc9fa7dc38848372f34681bd7b8f1e9c7d0979c423e
                                                        • Opcode Fuzzy Hash: 405271cc705f471922ea9faa7c99ad3bfdcde57b3401bdc111e02f2170a737e2
                                                        • Instruction Fuzzy Hash: 63F18F71648341AFE310DB64CC55FABB7A8AF99704F044D5CFA8997281DBB0E548CB63
                                                        Function 02BEB7D0 Relevance: 44.0, APIs: 1, Strings: 24, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentVariableA.KERNEL32(THNOCMDLN,?,00000002,?,000000FF,02C055EA,02BE2428,?,?,?,?,?,00000000,00000000,?), ref: 02BEB805
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentVariable
                                                        • String ID: CreateServiceA$CreateServiceW$CreateThread$DisableThreadLibraryCalls$ExitProcess$ExitThread$FreeLibrary$FreeLibraryAndExitThread$GetCommandLineA$GetCommandLineW$GetModuleFileNameA$GetModuleFileNameW$GetModuleHandleA$GetModuleHandleW$GetProcAddress$LoadLibraryA$LoadLibraryExA$LoadLibraryExW$LoadLibraryW$SearchPathA$SearchPathW$THNOCMDLN$TerminateProcess$kernel32.dll
                                                        • API String ID: 1431749950-437942506
                                                        • Opcode ID: 694e1a4104af4ad2aac0a2de7315a7ba4faf9bc28cb44b203f3156351f72ceec
                                                        • Instruction ID: bb41e65d70c618d1799af2f80a0a12a82bd4b3f3adf0aec1c4d68a6d44abef6e
                                                        • Opcode Fuzzy Hash: 694e1a4104af4ad2aac0a2de7315a7ba4faf9bc28cb44b203f3156351f72ceec
                                                        • Instruction Fuzzy Hash: 3861D7B06887257AFA00BB545C82F5A774DDF19B34F2003A4F437712D1DFA8AD009A9E
                                                        Function 02BE2020 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 146libraryloadermemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStrings.KERNEL32(00000000,?,?,?), ref: 02BE2034
                                                        • FreeEnvironmentStringsA.KERNEL32(00000000,?), ref: 02BE2048
                                                        • LoadLibraryA.KERNEL32(?), ref: 02BE20A6
                                                        • VirtualProtect.KERNEL32(?,02BE22B7,00000040,?), ref: 02BE20D5
                                                        • GetProcAddress.KERNEL32(00000000,debug_version), ref: 02BE20E1
                                                        • MessageBoxA.USER32(00000000,?,Can't Debug,00000000), ref: 02BE214E
                                                        • FreeLibrary.KERNEL32(00000000), ref: 02BE2155
                                                        • GetProcAddress.KERNEL32(00000000,debug_proc), ref: 02BE216E
                                                        • ExitProcess.KERNEL32 ref: 02BE2197
                                                        Strings
                                                        • 2.730, xrefs: 02BE20EF, 02BE2123
                                                        • os_exe.exe compiled in program was built with version %sos_debug.dll was compiled with version %sPlease rebuild EXE to permit debugging, xrefs: 02BE2129
                                                        • find proc failed, xrefs: 02BE21CC
                                                        • debug_proc, xrefs: 02BE2168
                                                        • Can't Debug, xrefs: 02BE2146
                                                        • load lib failed, xrefs: 02BE21D8
                                                        • C:\jc\VOS2\thinstall\os\ts_stub.cpp, xrefs: 02BE21E2
                                                        • debug_version, xrefs: 02BE20DB
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressEnvironmentFreeLibraryProcStrings$ExitLoadMessageProcessProtectVirtual
                                                        • String ID: 2.730$C:\jc\VOS2\thinstall\os\ts_stub.cpp$Can't Debug$debug_proc$debug_version$find proc failed$load lib failed$os_exe.exe compiled in program was built with version %sos_debug.dll was compiled with version %sPlease rebuild EXE to permit debugging
                                                        • API String ID: 302778263-3987336985
                                                        • Opcode ID: d6f601f202d1c140f653408b664aab344a0992660ca85a42be6ee99317761144
                                                        • Instruction ID: 0d055d11a751a81d09191f4b2a8751c94f77cb4aeeee0615032f5d5740b11011
                                                        • Opcode Fuzzy Hash: d6f601f202d1c140f653408b664aab344a0992660ca85a42be6ee99317761144
                                                        • Instruction Fuzzy Hash: A3414A756803006BEB209B24DC86BBB37ACEF84715F040668EE4BD6241EB75D5C9C763
                                                        Function 02BE3670 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 127libraryloaderwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(NTDLL.DLL), ref: 02BE36CE
                                                        • GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 02BE36E9
                                                        • GetVersionExA.KERNEL32 ref: 02BE372C
                                                        • MessageBoxA.USER32(00000000,?,Application error,00000000), ref: 02BE3774
                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02BE3782
                                                        • SetLastError.KERNEL32(00000000), ref: 02BE3794
                                                        • SetLastError.KERNEL32 ref: 02BE37AE
                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 02BE37CC
                                                        Strings
                                                        • *** Exception occured during DllMain %s, xrefs: 02BE3694
                                                        • The application failed to initialize properly (0x%08x). Click on OK to terminate the application., xrefs: 02BE3758
                                                        • NtRaiseHardError, xrefs: 02BE36E3
                                                        • Application error, xrefs: 02BE376C
                                                        • unknown notification, xrefs: 02BE368E, 02BE3693
                                                        • RtlNtStatusToDosError, xrefs: 02BE377C
                                                        • NTDLL.DLL, xrefs: 02BE36C9
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressErrorLastProc$ExceptionFilterHandleMessageModuleUnhandledVersion
                                                        • String ID: *** Exception occured during DllMain %s$Application error$NTDLL.DLL$NtRaiseHardError$RtlNtStatusToDosError$The application failed to initialize properly (0x%08x). Click on OK to terminate the application.$unknown notification
                                                        • API String ID: 1537621581-339925891
                                                        • Opcode ID: db88c0f74235636ea274e059e310ea9ebc0fa58e899bc21a81fd61acf61df965
                                                        • Instruction ID: 96026e8b0dee41fb5dc82f5e7e06e838b9852034bcd9bb2a1091b12308cbbeff
                                                        • Opcode Fuzzy Hash: db88c0f74235636ea274e059e310ea9ebc0fa58e899bc21a81fd61acf61df965
                                                        • Instruction Fuzzy Hash: F241E674A403119BFB20DF24DC85F7A73E9EB88711F1009A9F946D7280C775E885CBA2
                                                        Function 02C36640 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 342COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02C4F2F1,000000FF,02C05621,02BE2428), ref: 02C367C1
                                                          • Part of subcall function 02C0D8A0: RtlInitializeCriticalSection.NTDLL(00000004), ref: 02C0D8B5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CriticalCurrentInitializeProcessSection
                                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$Module32First$Module32FirstW$Module32Next$Module32NextW$OpenProcess$kernel32.dll$psapi.dll
                                                        • API String ID: 2016450865-1472929229
                                                        • Opcode ID: 9105fe18d43312e4e5fa8af1cc45ca08a66ae332f93fe2312fc5153b0a1e97dd
                                                        • Instruction ID: 317979993f7a48388389a197cd315aef81eb856aa6dcf2233ae3e0c9921a7df3
                                                        • Opcode Fuzzy Hash: 9105fe18d43312e4e5fa8af1cc45ca08a66ae332f93fe2312fc5153b0a1e97dd
                                                        • Instruction Fuzzy Hash: 45B108706443057BE611AF258C85E6FBBDEDB85724B644E2CF057533C0DBB4A9048F9A
                                                        Function 02BF93B0 Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 415processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentVariableA.KERNEL32 ref: 02BF9411
                                                        • SetEnvironmentVariableA.KERNEL32(TS_EXECUTE_EXTERNAL,00000000), ref: 02BF9421
                                                        • GetFileAttributesA.KERNEL32(?), ref: 02BF9792
                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,00000000,?,?,?), ref: 02BF9879
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,TS_EXECUTE_EXTERNAL,?,00000002), ref: 02BF9891
                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,TS_EXECUTE_EXTERNAL,?,00000002), ref: 02BF98AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentErrorLastVariable$AttributesCreateFileProcess
                                                        • String ID: "%s"$"%s"%s$*** CreateProcess returned FALSE$.exe$CreateProcess app='%s' cmdline='%s' -> %x (*** could not find '%s' ***)$NULL$TS_EXECUTE_EXTERNAL
                                                        • API String ID: 3103954285-3708759760
                                                        • Opcode ID: 655e22f32e854afadb80796cf5f02bd520bdfec1940b6055d76927855a189131
                                                        • Instruction ID: 7bf1e2bba871bf8803f76d66fda09adbfb0f1691a466f10aee1a54faccd338f0
                                                        • Opcode Fuzzy Hash: 655e22f32e854afadb80796cf5f02bd520bdfec1940b6055d76927855a189131
                                                        • Instruction Fuzzy Hash: E0F180715087809FD770EF69C894BABB7E9EF95304F144E8CE99A43281DB74A448CB63
                                                        Function 02C06330 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 149filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 02C06367
                                                        • GetCurrentProcessId.KERNEL32 ref: 02C0638A
                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 02C06394
                                                        • GetCurrentProcessId.KERNEL32 ref: 02C0641C
                                                        • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 02C064CD
                                                        • GetCurrentProcessId.KERNEL32(00000000,00000002,?,00000000,00000000,?,?,?,?,?,00000000), ref: 02C064F0
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 02C06509
                                                        • CloseHandle.KERNEL32(00000000), ref: 02C06529
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcess$CloseHandle$CreateFileOpenThread
                                                        • String ID: %s(%x)_addr=%x$%s.%03d.%s.dmp$%s.%08x$Generated dump file %s - use windbg.exe (Debugging Tools for Windows) to see details$Unkown_exception
                                                        • API String ID: 1310135946-1527711897
                                                        • Opcode ID: cfd66a2dd9ee9ff086b7399bc909448060b35d3bc2e7285d0f37cff645c44d92
                                                        • Instruction ID: 1ca4c37975ff1028251d651674a1f49bf82393590db4124f6e619bcf242b7f6f
                                                        • Opcode Fuzzy Hash: cfd66a2dd9ee9ff086b7399bc909448060b35d3bc2e7285d0f37cff645c44d92
                                                        • Instruction Fuzzy Hash: C451F771A80301AFE310DF25DC45B6A77ACEB88714F244B1CF966932C1D774E554CB92
                                                        Function 02BF1190 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 81libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(02C6610C,GetLongPathNameA), ref: 02BF11AB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID: FindClose$FindFirstFileA$FindFirstFileExA$FindFirstFileExW$FindFirstFileW$FindNextFileA$FindNextFileW$GetLongPathNameA$GetLongPathNameW$GetShortPathNameA$GetShortPathNameW$kernel32.dll
                                                        • API String ID: 190572456-257192743
                                                        • Opcode ID: a719abcd5bed9302e94235829324abbce4eef6cd9741ee7e7a1bb8456f1f6cea
                                                        • Instruction ID: 484dfdf9d8e4f4853c9e951de957c11cec02cc5486ad0d278920f9622f4b53bd
                                                        • Opcode Fuzzy Hash: a719abcd5bed9302e94235829324abbce4eef6cd9741ee7e7a1bb8456f1f6cea
                                                        • Instruction Fuzzy Hash: AD11F871BC9B31B1FA5172941D83F4A2B494B1AF30E300790BA37742F99EE8B941649E
                                                        Function 02C24030 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 446COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C0D8E0: RtlInitializeCriticalSection.NTDLL(02C665E4), ref: 02C0D8EC
                                                          • Part of subcall function 02C0D8E0: RtlEnterCriticalSection.NTDLL(02C665DC), ref: 02C0D8FC
                                                        • CLSIDFromString.COMBASE(?,?), ref: 02C24540
                                                        • CLSIDFromString.COMBASE(?,?), ref: 02C245F4
                                                        • CLSIDFromString.COMBASE(?,?), ref: 02C246A8
                                                        • CLSIDFromString.COMBASE(?,?), ref: 02C2448C
                                                          • Part of subcall function 02C0D910: RtlLeaveCriticalSection.NTDLL(02C665DC), ref: 02C0D914
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FromString$CriticalSection$EnterInitializeLeave
                                                        • String ID: CLSID$InprocHandler32$InprocServer32$LocalServer$LocalServer32
                                                        • API String ID: 4255397865-3783414347
                                                        • Opcode ID: 9c4380d45667a4daf175e44cd99d0360e3841a4394bccca302dd0df19d8bcf6f
                                                        • Instruction ID: e7b8cd2e5e19cd95498786951ea427113806a4a8903a16210324814537e3f789
                                                        • Opcode Fuzzy Hash: 9c4380d45667a4daf175e44cd99d0360e3841a4394bccca302dd0df19d8bcf6f
                                                        • Instruction Fuzzy Hash: 4A1216715083859BD734DF65C490AEFBBE5BBC9714F404E2DE59A87280DB709908CF92
                                                        Function 02C23050 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 284registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,|sprof| RegEnumKeyExW %s%d%d%d,00000000), ref: 02C230E8
                                                        • GetLastError.KERNEL32(?,?,|sprof| RegEnumKeyExW %s%d%d%d,00000000), ref: 02C23118
                                                        • SetLastError.KERNEL32(00000000,|sprof| RegEnumKeyExW %s%d%d%d,00000000), ref: 02C2313E
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C231CB
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C231E2
                                                        • SetLastError.KERNEL32(?), ref: 02C231F8
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?), ref: 02C23246
                                                          • Part of subcall function 02BFBA80: WideCharToMultiByte.KERNEL32(02C66704,00000000,?,000000FF,00000000,00000005,00000000,00000000,02C197E2,?,00000104,00000001,?), ref: 02BFBB00
                                                        Strings
                                                        • |sprof| RegEnumKeyExW %s%d%d%d, xrefs: 02C2306D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$ByteCharMultiWide$EnumIncrementInterlocked
                                                        • String ID: |sprof| RegEnumKeyExW %s%d%d%d
                                                        • API String ID: 4202822548-2010628423
                                                        • Opcode ID: 2ca69d574b920ca7e4dcf3b9f21f005071c7b07ac22f6cd9f4f300736ce03327
                                                        • Instruction ID: a3e7ad4750ab66dd3d199ff1bc20faf79a4cfb78a5a1156069d2e2d461026d45
                                                        • Opcode Fuzzy Hash: 2ca69d574b920ca7e4dcf3b9f21f005071c7b07ac22f6cd9f4f300736ce03327
                                                        • Instruction Fuzzy Hash: 8AA1FB75608390AFD314DB98C880E2BF7E9EBC9754F144A5CF99583340D7B4E948CBA2
                                                        Function 02C001D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 02C001FF
                                                        • SetLastError.KERNEL32(00000002), ref: 02C0029B
                                                        • SetLastError.KERNEL32(00000000), ref: 02C0032B
                                                        Strings
                                                        • DeleteFile %s -> 0 (Loaded as DLL/EXE), xrefs: 02C00263
                                                        • DeleteFile (cached/extracted) %s -> %x, xrefs: 02C00305
                                                        • DeleteFile (internal only) %s -> 1, xrefs: 02C002C7
                                                        • DeleteFile %s -> 0 (already deleted), xrefs: 02C0028C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: DeleteFile %s -> 0 (Loaded as DLL/EXE)$DeleteFile %s -> 0 (already deleted)$DeleteFile (cached/extracted) %s -> %x$DeleteFile (internal only) %s -> 1
                                                        • API String ID: 1452528299-695736416
                                                        • Opcode ID: 77efb0a0f04751793dd9e00d973c28fc0fa535896afcdf8d979a8d6c10d98c6a
                                                        • Instruction ID: c4f0bc1f87c53750954234a9d7a22f0525980d363682d770c853d26a1d965e85
                                                        • Opcode Fuzzy Hash: 77efb0a0f04751793dd9e00d973c28fc0fa535896afcdf8d979a8d6c10d98c6a
                                                        • Instruction Fuzzy Hash: 9541CFB0944351DFD311DF28DCC1BBBB7A9EB89710F040A59F99987282D735C985CBA2
                                                        Function 02C07710 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104libraryfileloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32,IsDebuggerPresent), ref: 02C07729
                                                        • GetProcAddress.KERNEL32(00000000), ref: 02C07730
                                                        • CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,00000000), ref: 02C07743
                                                        • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 02C0784C
                                                        • CloseHandle.KERNEL32(00000000), ref: 02C07862
                                                        • WaitForSingleObject.KERNEL32(?,000001F4), ref: 02C07895
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$AddressCloseFileModuleObjectProcSemaphoreSingleWait
                                                        • String ID: IsDebuggerPresent$kernel32
                                                        • API String ID: 183088082-1195679753
                                                        • Opcode ID: 621108a7e24c2cacf3c9d63d74d30f7409a147e9ca39f95172bb7542726d8380
                                                        • Instruction ID: 24fcd6fbf1994c224353a0394036594120b5e98800481b950da1c755502f0a30
                                                        • Opcode Fuzzy Hash: 621108a7e24c2cacf3c9d63d74d30f7409a147e9ca39f95172bb7542726d8380
                                                        • Instruction Fuzzy Hash: 40417F3054C3829ED315CB39888872AFFD45B9A328F184B9CF5E4A72E1C764D249C76B
                                                        Function 02C48298 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,02C43EAD,?,Microsoft Visual C++ Runtime Library,00012010,?,02C50A28,?,02C50A78,?,?,?,Runtime Error!Program: ), ref: 02C482AA
                                                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 02C482C2
                                                        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 02C482D3
                                                        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 02C482E0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                        • API String ID: 2238633743-4044615076
                                                        • Opcode ID: 179f6d62185ba686c10cc02a248f832a4d082ba70c6690273555a9917c2bcc58
                                                        • Instruction ID: 56e4e5bbfee7400deff9cb27bd18912859960e4b8761917e95039ffff946ed4b
                                                        • Opcode Fuzzy Hash: 179f6d62185ba686c10cc02a248f832a4d082ba70c6690273555a9917c2bcc58
                                                        • Instruction Fuzzy Hash: 3D018471A807129FD7109FB69D88F2B7BECEA8965C3000E79F515E2101EB74D495CF21
                                                        Function 02C267E0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 422COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000080,?), ref: 02C269BB
                                                        • CLSIDFromString.COMBASE(?,?), ref: 02C269DA
                                                        • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 02C26CD6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ByteCharFromMultiNamePathShortStringWide
                                                        • String ID: CLSID$CLSID\%s\InProcServer32$CLSID\%s\TypeLib$TypeLib\%s
                                                        • API String ID: 834779956-3043524355
                                                        • Opcode ID: fd709f3beebd5ee5cdf41e1811f1cd3284f3c10372197e454f828f8910b55b95
                                                        • Instruction ID: 70aa584a5e2c0715190002931b05e4c950c84d65f38a3594fe3d328c3563b8bc
                                                        • Opcode Fuzzy Hash: fd709f3beebd5ee5cdf41e1811f1cd3284f3c10372197e454f828f8910b55b95
                                                        • Instruction Fuzzy Hash: E8026BB15083859FD724DF24C880BABBBE9EFC5708F144D5CE98A87241DB74A548CB67
                                                        Function 02BFE2A1 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 204fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(02C661AC,?,?,?,?,?,?), ref: 02BFE2DB
                                                        • SetLastError.KERNEL32(00000050), ref: 02BFE336
                                                        • GetLastError.KERNEL32 ref: 02BFE3A6
                                                        • GetLastError.KERNEL32(?), ref: 02BFE51E
                                                        Strings
                                                        • CreateFile '%s' dwDesiredAccess=(%s)%x share=%s(%x) (failed because CREATEFILE specified for exisiting file) -> %x %s (er=0x%x), xrefs: 02BFE3CA
                                                        • ***failed, xrefs: 02BFE35B, 02BFE4D5
                                                        • CreateFile '%s' dwDesiredAccess=(%s)%x share=%s(%x) (thinstall controlled) -> %x (er=0x%x) %s, xrefs: 02BFE53D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$CreateFile
                                                        • String ID: ***failed$CreateFile '%s' dwDesiredAccess=(%s)%x share=%s(%x) (failed because CREATEFILE specified for exisiting file) -> %x %s (er=0x%x)$CreateFile '%s' dwDesiredAccess=(%s)%x share=%s(%x) (thinstall controlled) -> %x (er=0x%x) %s
                                                        • API String ID: 1722934493-3403004051
                                                        • Opcode ID: 5aecd828db0527e4c168db6523b0879bfe6e3a4f4e102953420a1c8fc1313d30
                                                        • Instruction ID: ce4c57b9ffb7a059dde7a9556c390db00443ba0d63d86860d1143b1e9348e4ac
                                                        • Opcode Fuzzy Hash: 5aecd828db0527e4c168db6523b0879bfe6e3a4f4e102953420a1c8fc1313d30
                                                        • Instruction Fuzzy Hash: 38814E74508380AFD760DF24C854BEBB7E9EBC9714F048A4CFA9987251D734D949CB62
                                                        Function 02C49061 Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,00000100,02C50BA4,00000001,00000000,00000000), ref: 02C490A3
                                                        • LCMapStringA.KERNEL32(00000000,00000100,02C66F80,00000001,00000000,00000000), ref: 02C490BF
                                                        • LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 02C49108
                                                        • WideCharToMultiByte.KERNEL32(?,00000220,?,?,00000000,00000000,00000000,00000000), ref: 02C4913B
                                                        • WideCharToMultiByte.KERNEL32(?,00000220,?,?,?,?,00000000,00000000), ref: 02C49192
                                                        • LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 02C491AE
                                                        • LCMapStringA.KERNEL32(?,?,?,?,?,00000000), ref: 02C49204
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: String$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 352835431-0
                                                        • Opcode ID: cf2fd47a3ec739b5518e7202977b533efc68e6df7f970c836851127f779e1023
                                                        • Instruction ID: 840d9f8c485c1754d45504e36fc78f6c8566e7dfa11c899b83bddf94b50bf3b5
                                                        • Opcode Fuzzy Hash: cf2fd47a3ec739b5518e7202977b533efc68e6df7f970c836851127f779e1023
                                                        • Instruction Fuzzy Hash: 81518831940229EBCF328F96DD49AEF7F7AFF897A4F004515F914A2150CB358A60DBA1
                                                        Function 02C207E0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 284registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegEnumValueW.ADVAPI32(?,?,?,?,?,?,?,?,|sprof| RegEnumValueW %s%d%d%d,00000000), ref: 02C20877
                                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?), ref: 02C2091C
                                                        • RegEnumValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,|sprof| RegEnumValueW %s%d%d%d,00000000), ref: 02C209FA
                                                        Strings
                                                        • RegEnumValueW 0x%x %s index=0x%x -> 0x%x, xrefs: 02C20ACF
                                                        • RegEnumValueW 0x%x %s index=0x%x -> 0x%x (%s), xrefs: 02C20A89
                                                        • |sprof| RegEnumValueW %s%d%d%d, xrefs: 02C207FC
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: EnumValue$ByteCharIncrementInterlockedMultiWide
                                                        • String ID: RegEnumValueW 0x%x %s index=0x%x -> 0x%x$RegEnumValueW 0x%x %s index=0x%x -> 0x%x (%s)$|sprof| RegEnumValueW %s%d%d%d
                                                        • API String ID: 1005474031-1329525297
                                                        • Opcode ID: 8fb5927fb632607f7840aecc94728c9390e0836174bc7c2ad37b9b52e82a667f
                                                        • Instruction ID: f627e1fb5bf1fdd9ea864ebd6e007167f70213b4c94f815faa929c702f1a7c69
                                                        • Opcode Fuzzy Hash: 8fb5927fb632607f7840aecc94728c9390e0836174bc7c2ad37b9b52e82a667f
                                                        • Instruction Fuzzy Hash: 2CB135B16083509FD314DB58C880A2BBBF9FBD9754F548A0DF69687390CB71E944CBA2
                                                        Function 02C1C010 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 282COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000007,000000FF,?,00000100,00000000,00000000), ref: 02C1C2C0
                                                        Strings
                                                        • |reg_sz| %s %s = "%s", xrefs: 02C1C2D9
                                                        • |reg_expand_sz| %s %s = "%s", xrefs: 02C1C2EB
                                                        • |reg_other| %s %s = type(%d) %d bytes, xrefs: 02C1C299
                                                        • |reg_dword| %s = %d, xrefs: 02C1C277
                                                        • |virtual_key| %s%s t_vlaues=%d t_keys=%d, xrefs: 02C1C1EF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID: |reg_dword| %s = %d$|reg_expand_sz| %s %s = "%s"$|reg_other| %s %s = type(%d) %d bytes$|reg_sz| %s %s = "%s"$|virtual_key| %s%s t_vlaues=%d t_keys=%d
                                                        • API String ID: 626452242-3196805294
                                                        • Opcode ID: 46bf8c08bd8019224d98835eedfad21963e26db3f2a2f695ff64618813e8c7fb
                                                        • Instruction ID: 2cfaa2b0c2fd001c916e1b78256d5cdaac94bf2849af520a1ef1d83cc9570ef0
                                                        • Opcode Fuzzy Hash: 46bf8c08bd8019224d98835eedfad21963e26db3f2a2f695ff64618813e8c7fb
                                                        • Instruction Fuzzy Hash: 52B1B0716482418FC724DF58C885EABB7E5BFCA708F444A5DF48A97251D730EA48CBA3
                                                        Function 02C22000 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 193registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCloseKey.ADVAPI32(?,000000FF,02C2233D,00000000,?,00000000,02C4E0C8,000000FF), ref: 02C22046
                                                        Strings
                                                        • RegCloseKey 0x%x %s open_count=%d, xrefs: 02C22133
                                                        • RegCloseKey 0x%x finish -> 0x%x, xrefs: 02C22238
                                                        • RegCloseKey 0x%x %s (key already closed or not seen before), xrefs: 02C221B8
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID: RegCloseKey 0x%x %s (key already closed or not seen before)$RegCloseKey 0x%x %s open_count=%d$RegCloseKey 0x%x finish -> 0x%x
                                                        • API String ID: 3535843008-1373027064
                                                        • Opcode ID: e1c649bf3a70bb823ba06c579ec66ecc182344972c2b6aaba4773f68c1984fe0
                                                        • Instruction ID: 14c99a21573a914d8a4ad5b0aee8d1bf4292ec49075d7edd10dc7bfa016e459f
                                                        • Opcode Fuzzy Hash: e1c649bf3a70bb823ba06c579ec66ecc182344972c2b6aaba4773f68c1984fe0
                                                        • Instruction Fuzzy Hash: B1619A75608311ABD314DB64C884E2BB7E9EFC8708F044A1CFD4A83251DB31E949CBA2
                                                        Function 02BF0280 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(?,?), ref: 02BF02DF
                                                        • SetLastError.KERNEL32(00000000), ref: 02BF0444
                                                        • SetLastError.KERNEL32(00000012), ref: 02BF0456
                                                        • FindNextFileA.KERNEL32(?,?), ref: 02BF047F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileFindLastNext
                                                        • String ID: @none@$findnext %x (th controlled) -> %x '%s'
                                                        • API String ID: 32741936-2334871492
                                                        • Opcode ID: 06f410733c4e63e37796301f04908d8e5e7703200f0c56910638b6ccd3601aab
                                                        • Instruction ID: fb7c61884d8eb2f1206403edc2eab528579b0de01ff236a5319ee440e51a24f2
                                                        • Opcode Fuzzy Hash: 06f410733c4e63e37796301f04908d8e5e7703200f0c56910638b6ccd3601aab
                                                        • Instruction Fuzzy Hash: 29618270608345CFD764EF18C884BABB7E5FB88304F084D58E9859B356DB31E949CB92
                                                        Function 02C127EE Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersionExA.KERNEL32(?), ref: 02C12866
                                                        • RegOpenKeyExA.ADVAPI32(80000001,02C5E8B0,00000000,00020019,?,?,?,?,?), ref: 02C12920
                                                        • RegQueryValueExA.ADVAPI32 ref: 02C12961
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 02C1296E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValueVersion
                                                        • String ID: QRj$get shell folders
                                                        • API String ID: 2996790148-2352348837
                                                        • Opcode ID: 34f93014d5eb906163d4fad82e9ab587e5ea9c5f92a771cc8eb4ae33dc4a2fcb
                                                        • Instruction ID: ffb20747d7efb4b6bc894d5e4222671f8448b73de6c1d44534fb71467575ad45
                                                        • Opcode Fuzzy Hash: 34f93014d5eb906163d4fad82e9ab587e5ea9c5f92a771cc8eb4ae33dc4a2fcb
                                                        • Instruction Fuzzy Hash: 9551C076A003219BF720DB24DC42BAB7399EFC6344F04095CED48A7241EB75EA45DBA3
                                                        Function 02C2C120 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,?), ref: 02C2C213
                                                          • Part of subcall function 02C2BF30: RegQueryValueA.ADVAPI32 ref: 02C2BF5C
                                                        • MessageBoxA.USER32(00000000,?,Virtual DLL error,00000000), ref: 02C2C1CC
                                                        Strings
                                                        • SetWindowsHookExW (%x %x %x %x) cannot be called for virtual module %sPlease extract DLL to disk first and ensure DLL is loaded by systemModule0=%x, xrefs: 02C2C1B4
                                                        • unknown-DLL, xrefs: 02C2C258
                                                        • Virtual DLL error, xrefs: 02C2C1C5
                                                        • SetWindowHooksExW %x %x %x(%s) %x -> %x, xrefs: 02C2C280
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: HandleMessageModuleQueryValue
                                                        • String ID: SetWindowHooksExW %x %x %x(%s) %x -> %x$SetWindowsHookExW (%x %x %x %x) cannot be called for virtual module %sPlease extract DLL to disk first and ensure DLL is loaded by systemModule0=%x$Virtual DLL error$unknown-DLL
                                                        • API String ID: 3421636547-2062705966
                                                        • Opcode ID: 17bfb04d8f8804adc5e4449aaac9afb70ef03c7f47386a922a1cd335878f3096
                                                        • Instruction ID: 50d652543ff8a450306312cbeb3910ef62caa030e514029498145ff1a62cedc3
                                                        • Opcode Fuzzy Hash: 17bfb04d8f8804adc5e4449aaac9afb70ef03c7f47386a922a1cd335878f3096
                                                        • Instruction Fuzzy Hash: 8A41EF75504390ABD610DF55CC84F6FBBA9FFC5B88F050A1EF88653241CB719A08CB62
                                                        Function 02BE9090 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 128fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004,?,00000001), ref: 02BE91B6
                                                        Strings
                                                        • com, xrefs: 02BE90BE
                                                        • CreateFile vxd_original='%s' (*** not cacheable) -> %x, xrefs: 02BE920E
                                                        • CreateFile vxd_original='%s' (cached_to=%s) -> %x, xrefs: 02BE91DD
                                                        • vxd, xrefs: 02BE90FF
                                                        • \\.\%s, xrefs: 02BE9175
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID: CreateFile vxd_original='%s' (*** not cacheable) -> %x$CreateFile vxd_original='%s' (cached_to=%s) -> %x$\\.\%s$com$vxd
                                                        • API String ID: 823142352-944036194
                                                        • Opcode ID: 641c2d3836ba8d4f2a10c4e13486a124623116538524c65c6dd7e2ecfb4f339b
                                                        • Instruction ID: b3713e4ce84008d2389b008cd2a87d96394640769912c5789d941aaf601da5d9
                                                        • Opcode Fuzzy Hash: 641c2d3836ba8d4f2a10c4e13486a124623116538524c65c6dd7e2ecfb4f339b
                                                        • Instruction Fuzzy Hash: 31417F71508381AFDB20DF64DC91BEBB7A8EF88704F00495CE99A43281DB749949CBA3
                                                        Function 02C3C3A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000200,00000000,00000000), ref: 02C3C41C
                                                        • LoadLibraryA.KERNEL32(oleaut32.dll), ref: 02C3C449
                                                        Strings
                                                        • SetErrorInfo Description='%s' -> %x ***, xrefs: 02C3C42F
                                                        • SetErrorInfo perrinfo=0 -> 0x%x, xrefs: 02C3C3DD
                                                        • oleaut32.dll, xrefs: 02C3C444
                                                        • SysFreeString, xrefs: 02C3C455
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLibraryLoadMultiWide
                                                        • String ID: SetErrorInfo Description='%s' -> %x ***$SetErrorInfo perrinfo=0 -> 0x%x$SysFreeString$oleaut32.dll
                                                        • API String ID: 2592636585-3871784108
                                                        • Opcode ID: ef8fc83401b16884c47b508617e337b04e4f115a8d1e41940fae505415eeef1d
                                                        • Instruction ID: 15c1ebb94ec36467c75d921b63eb0a2c6ed97d13230be3bb9a4112b43b7c7fe2
                                                        • Opcode Fuzzy Hash: ef8fc83401b16884c47b508617e337b04e4f115a8d1e41940fae505415eeef1d
                                                        • Instruction Fuzzy Hash: 71217175640201ABE210DB59DC4CF7BB7ACEFC5754F008A29F519D7250E630D955CBA2
                                                        Function 02C007C0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(00000057), ref: 02C007ED
                                                        • SetLastError.KERNEL32(00000057), ref: 02C0081B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: (success)$*** failed$OpenFile %s -> %x%s
                                                        • API String ID: 1452528299-3575543144
                                                        • Opcode ID: 3bd69ade15c253d7e826040244814715233d2985231963432cf98a3d58ef004c
                                                        • Instruction ID: 666accfd5d2e193256807805c5a5939ab334458506a6a2a8893f7166d5d06062
                                                        • Opcode Fuzzy Hash: 3bd69ade15c253d7e826040244814715233d2985231963432cf98a3d58ef004c
                                                        • Instruction Fuzzy Hash: 6D51FE70948341ABEB24CF14C8C5BBBB799FFC4754F050A0CE985572C1D7B49A85CBA6
                                                        Function 02C4A09D Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStringTypeW.KERNEL32(00000001,02C50BA4,00000001,?), ref: 02C4A0DC
                                                        • GetStringTypeA.KERNEL32(00000000,00000001,02C66F80,00000001,?), ref: 02C4A0F6
                                                        • GetStringTypeW.KERNEL32(00000100,?,?,?), ref: 02C4A11D
                                                        • WideCharToMultiByte.KERNEL32(?,00000220,?,?,00000000,00000000,00000000,00000000), ref: 02C4A150
                                                        • WideCharToMultiByte.KERNEL32(?,00000220,?,?,00000000,00000000,00000000,00000000), ref: 02C4A1B9
                                                        • GetStringTypeA.KERNEL32(?,00000100,?,?), ref: 02C4A224
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: StringType$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 3852931651-0
                                                        • Opcode ID: 2756a349f6190d298ec960e5d3bfdbdc065fc12ab639d5f3ccca17c820017b12
                                                        • Instruction ID: 56ca34fc1a938e039e7b819bbe0d3f4be30ca5bad07f2289e60cf2f5200d15b2
                                                        • Opcode Fuzzy Hash: 2756a349f6190d298ec960e5d3bfdbdc065fc12ab639d5f3ccca17c820017b12
                                                        • Instruction Fuzzy Hash: DC519D71980209EFDF218F95CC49AEFBF79EB89714F204519F914A2250DB319690DBA1
                                                        Function 02C06100 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 02C061FE
                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 02C06201
                                                        • VirtualQuery.KERNEL32(?,?,0000001C,?,?), ref: 02C06286
                                                        Strings
                                                        • no associated DLL/EXE found, xrefs: 02C062BB
                                                        • stack_trace %02d: addr=%08x (%s @ %08x), xrefs: 02C062D5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessQueryThreadVirtual
                                                        • String ID: stack_trace %02d: addr=%08x (%s @ %08x)$no associated DLL/EXE found
                                                        • API String ID: 3758119208-3534982231
                                                        • Opcode ID: f9d85b4217dc8d2ee8ac89c27c1739f634bdaa0701c31bb9909991f2cb90846b
                                                        • Instruction ID: 9715adda4bce9010e8a8aa3ab5f6b63a80d1b2e45a5bce3e1fe266a134cdd691
                                                        • Opcode Fuzzy Hash: f9d85b4217dc8d2ee8ac89c27c1739f634bdaa0701c31bb9909991f2cb90846b
                                                        • Instruction Fuzzy Hash: 315158715083419BD720DF69C884B6BBBE9FBC8304F14096DF59A93290DB74A948CF92
                                                        Function 02C073B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,0000001C,?,?), ref: 02C07479
                                                          • Part of subcall function 02C06DF0: LoadLibraryA.KERNEL32(psapi.dll), ref: 02C06E19
                                                          • Part of subcall function 02C06DF0: GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo), ref: 02C06E29
                                                          • Part of subcall function 02C06DF0: GetCurrentProcess.KERNEL32 ref: 02C06E5A
                                                        Strings
                                                        • @, xrefs: 02C07403
                                                        • NOT_CODE_ADDRESS, xrefs: 02C07453
                                                        • VirtualProtect addr=%x (%s) size=%x new_prot=%x (%s) old_prot=%x *old_prot=%x (%s) VirtualQuery(%x)=%s -> %x %s, xrefs: 02C074FC
                                                        • (failed) ***, xrefs: 02C07481
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: AddressCurrentLibraryLoadProcProcessQueryVirtual
                                                        • String ID: (failed) ***$@$NOT_CODE_ADDRESS$VirtualProtect addr=%x (%s) size=%x new_prot=%x (%s) old_prot=%x *old_prot=%x (%s) VirtualQuery(%x)=%s -> %x %s
                                                        • API String ID: 3590334313-498114565
                                                        • Opcode ID: ffa38ed10c44da97ea7f1cf131839d7ebb5f3fe13e80f82d903fc9c35c889f3f
                                                        • Instruction ID: 49c6a98e7b6037cd67a5e791f3a244b642f26e9e52fcf4d6d99ad749d525b56a
                                                        • Opcode Fuzzy Hash: ffa38ed10c44da97ea7f1cf131839d7ebb5f3fe13e80f82d903fc9c35c889f3f
                                                        • Instruction Fuzzy Hash: 6F5139B5608340AFD714DF99C884A6BFBE9AFC9704F104A5CFA9583250D774E909CB62
                                                        Function 02BEA600 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                          • Part of subcall function 02BE6FB0: GetCurrentThread.KERNEL32 ref: 02BE70D0
                                                          • Part of subcall function 02BE6FB0: GetProcessHeap.KERNEL32 ref: 02BE70E4
                                                          • Part of subcall function 02BE6FB0: RtlAllocateHeap.NTDLL(00000000,00000000,02C66250), ref: 02BE70F3
                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02BEA732
                                                        • GetCurrentThreadId.KERNEL32 ref: 02BEA742
                                                        • GetCurrentThread.KERNEL32 ref: 02BEA749
                                                          • Part of subcall function 02C0D8E0: RtlInitializeCriticalSection.NTDLL(02C665E4), ref: 02C0D8EC
                                                          • Part of subcall function 02C0D8E0: RtlEnterCriticalSection.NTDLL(02C665DC), ref: 02C0D8FC
                                                        Strings
                                                        • |sprof| new_thread_start %s%d%d%d, xrefs: 02BEA620
                                                        • Thread h=%x, id=%x is running, stack = %08x - %08x, xrefs: 02BEA750
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$CriticalHeapSection$AllocateEnterIncrementInitializeInterlockedProcessQueryVirtual
                                                        • String ID: Thread h=%x, id=%x is running, stack = %08x - %08x$|sprof| new_thread_start %s%d%d%d
                                                        • API String ID: 3632135041-1063520004
                                                        • Opcode ID: c7d591a480070e3013a1a4686f12e911323350ffb85ab96e94afbda09d052540
                                                        • Instruction ID: f83a3f65fa735f77236961d2c7eaf2aff94f7e9c19ccab70c09dd54fff9461de
                                                        • Opcode Fuzzy Hash: c7d591a480070e3013a1a4686f12e911323350ffb85ab96e94afbda09d052540
                                                        • Instruction Fuzzy Hash: B3419FB5E002149FCF14DFA8C895ABEBBB9EF45304F1486A9E917A7341CB34AD41CB90
                                                        Function 02C23750 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 02C237A8
                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,02C4E290,000000FF), ref: 02C23829
                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 02C2383F
                                                        Strings
                                                        • RegDeleteKey 0x%x(\%s) -> 0x%x, xrefs: 02C23862
                                                        • |sprof| RegDeleteKeyA %s%d%d%d, xrefs: 02C2376D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Delete$ErrorIncrementInterlockedLast
                                                        • String ID: RegDeleteKey 0x%x(\%s) -> 0x%x$|sprof| RegDeleteKeyA %s%d%d%d
                                                        • API String ID: 2478959702-2473268095
                                                        • Opcode ID: dcb8c1e09220e4b1f411b3cf7ae4687977d595a3d74fac8dc17867b5090fdcfb
                                                        • Instruction ID: 1696c161dc3116d35e933f7d80996e74e3a58bbaeb9e476e033dc3eb43a083ff
                                                        • Opcode Fuzzy Hash: dcb8c1e09220e4b1f411b3cf7ae4687977d595a3d74fac8dc17867b5090fdcfb
                                                        • Instruction Fuzzy Hash: E84190756043949BC210DF59C884F2BBBE9EFC5B68F044A6DF85697340CB34E948CBA2
                                                        Function 02C05377 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 02C0543C
                                                        • SetEnvironmentVariableA.KERNEL32(TS_LEVEL,02C5A3CC), ref: 02C05463
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentHandleModuleVariable
                                                        • String ID: "%s"$"%s" %s$TS_LEVEL
                                                        • API String ID: 3528341145-195194587
                                                        • Opcode ID: daa27e099396ca6fe22cd1a7ae24b0f52e657c8a44bfeb6ed02040652e16f4cd
                                                        • Instruction ID: bda8933d74c815a7396905e1bb3f9e510ff5988ae207ea95214444a7dacd2938
                                                        • Opcode Fuzzy Hash: daa27e099396ca6fe22cd1a7ae24b0f52e657c8a44bfeb6ed02040652e16f4cd
                                                        • Instruction Fuzzy Hash: 40310A74404340ABE720DF50C880BAB7BA9AF85798F44485CECDA23281D7B5D146CFA2
                                                        Function 02C054C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90processsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStartupInfoA.KERNEL32 ref: 02C054E6
                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?), ref: 02C05562
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 02C05579
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 02C05589
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Process$CodeCreateExitInfoObjectSingleStartupWait
                                                        • String ID: D
                                                        • API String ID: 298944466-2746444292
                                                        • Opcode ID: 4e6e27453135b2df9dff02b993b2c60ad25c9bdd962d6b6e20172057a5cb6061
                                                        • Instruction ID: 9c618d0be48317d75ad0d55e68145704a8d061ed57582bdca3b6fbaa5d49135f
                                                        • Opcode Fuzzy Hash: 4e6e27453135b2df9dff02b993b2c60ad25c9bdd962d6b6e20172057a5cb6061
                                                        • Instruction Fuzzy Hash: F3316BB1508741AFE314CF64C880A6BBBE8FBC4764F104E1DB5A6832A0DB34D944CF62
                                                        Function 02C07140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02C07174
                                                        • MessageBoxA.USER32(00000000,Out of memory during shutdown,02C66218,00000000), ref: 02C07191
                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 02C07199
                                                        • TerminateProcess.KERNEL32(00000000), ref: 02C071A0
                                                        Strings
                                                        • Out of memory during shutdown, xrefs: 02C0718A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Process$AllocCurrentMessageTerminateVirtual
                                                        • String ID: Out of memory during shutdown
                                                        • API String ID: 3395095539-4032929479
                                                        • Opcode ID: 6e49a45fb821dd788d0b5e997193d7537ae667630efeef4a89706945e4219d2c
                                                        • Instruction ID: 0b45bc84eedec74c50ba9d8790e21d7cf50343554e35fe6565b47bd11812c5a3
                                                        • Opcode Fuzzy Hash: 6e49a45fb821dd788d0b5e997193d7537ae667630efeef4a89706945e4219d2c
                                                        • Instruction Fuzzy Hash: 13017C72AC0301AFDB04CF64EC89F5237A8FB48700F208E19F20ADB585D774E4918B94
                                                        Function 02C12740 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00020019,00000000), ref: 02C1275C
                                                        • RegQueryValueExA.ADVAPI32 ref: 02C12791
                                                        • RegCloseKey.ADVAPI32(?,?,?,?), ref: 02C127B6
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 02C12752
                                                        • ProgramFilesDir, xrefs: 02C1277B
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                        • API String ID: 3677997916-2634093826
                                                        • Opcode ID: 6c67214b846a260d8e13d64494f8f4f40408ec66314e3b8429a5ec3ee72d3bfb
                                                        • Instruction ID: c3994509acc5500c83a6816de6fb8c9707bee36e4e9b762c3e6ab11a82c453fe
                                                        • Opcode Fuzzy Hash: 6c67214b846a260d8e13d64494f8f4f40408ec66314e3b8429a5ec3ee72d3bfb
                                                        • Instruction Fuzzy Hash: 87F03C74A44315BFF214DB50DC46FAB77A8AFC8708F00891CBA5D92181D3B4D658CBA6
                                                        Function 02C421DB Relevance: 7.7, APIs: 5, Instructions: 246COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4015701eb439f9d511a13e754f1c48928d2174adbd466e880de826ab92b53ac4
                                                        • Instruction ID: a8bd884643d0aa9a449bf38fd026400e38d59492a138af9ed26c49d188875b59
                                                        • Opcode Fuzzy Hash: 4015701eb439f9d511a13e754f1c48928d2174adbd466e880de826ab92b53ac4
                                                        • Instruction Fuzzy Hash: 9671E9329415207BDB326A15CC4ABAF3A2AEFC17B4F154614FC589A190DF31CB50DA93
                                                        Function 02C20190 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 410registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegQueryInfoKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,|sprof| RegQueryInfoKeyA %s%d%d%d,00000000,?,?), ref: 02C20250
                                                        • RegQueryInfoKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,|sprof| RegQueryInfoKeyA %s%d%d%d,00000000,?,?), ref: 02C204AA
                                                        Strings
                                                        • RegQueryInfoKey 0x%x %s -> 0x%x, xrefs: 02C205A3
                                                        • |sprof| RegQueryInfoKeyA %s%d%d%d, xrefs: 02C201B1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: InfoQuery$IncrementInterlocked
                                                        • String ID: RegQueryInfoKey 0x%x %s -> 0x%x$|sprof| RegQueryInfoKeyA %s%d%d%d
                                                        • API String ID: 2457925487-3677765855
                                                        • Opcode ID: b9676a67266576612835f9aef09e72cb51e788b0c9692d698c21182187682017
                                                        • Instruction ID: 2b28228b2fb8ce56c32615a718b337236e54ceebda516cb4950cbfd6ed4601a6
                                                        • Opcode Fuzzy Hash: b9676a67266576612835f9aef09e72cb51e788b0c9692d698c21182187682017
                                                        • Instruction Fuzzy Hash: 6AE126716082519FC714CF98C990A2BF7EABFD8704F148A1DF99A87350DB70E949CB92
                                                        Function 02C233A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegDeleteValueA.ADVAPI32(?,?,?,?,?,?,?,?,02C4E248,000000FF), ref: 02C233FA
                                                        • RegDeleteValueA.ADVAPI32(?,?), ref: 02C2351B
                                                        Strings
                                                        • RegDeleteValue 0x%x %s name=%s-> 0x%x, xrefs: 02C23554
                                                        • |sprof| RegDeleteValueA %s%d%d%d, xrefs: 02C233BB
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: DeleteValue$IncrementInterlocked
                                                        • String ID: RegDeleteValue 0x%x %s name=%s-> 0x%x$|sprof| RegDeleteValueA %s%d%d%d
                                                        • API String ID: 2149648394-753369503
                                                        • Opcode ID: e306575b71548ccd1fe7fd7d8242f0d2fb43851099288abaadfda0d5079b15a4
                                                        • Instruction ID: 307e4815f7fd329928678b8f81287818e792af2cc4f6dd8904e360c915ade141
                                                        • Opcode Fuzzy Hash: e306575b71548ccd1fe7fd7d8242f0d2fb43851099288abaadfda0d5079b15a4
                                                        • Instruction Fuzzy Hash: 3C51B2716043519FD715DF18C840F2BB7E9AFC8728F044A9CF89A97280DB74EA49CB91
                                                        Function 02C0E090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: __aulldiv__aullrem
                                                        • String ID: 0$0123456789abcdef
                                                        • API String ID: 3839614884-3442115894
                                                        • Opcode ID: 6d3020b074d1e62c28054c8904e408fe69392add57302651b2694aa82463beff
                                                        • Instruction ID: d79ae77aea9075447d48ac083c3a6cea98456dc8016ac5c710efe0d16af012a1
                                                        • Opcode Fuzzy Hash: 6d3020b074d1e62c28054c8904e408fe69392add57302651b2694aa82463beff
                                                        • Instruction Fuzzy Hash: 96519F756483459FDB24CF28D880B9BFBE6ABC9704F044A5DF88997341D630DE49CB92
                                                        Function 02C21220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 135registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,|sprof| RegCreateKeyExW %s%d%d%d,00000000), ref: 02C212C2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateIncrementInterlocked
                                                        • String ID: ?$RegCreateKeyExW$|sprof| RegCreateKeyExW %s%d%d%d
                                                        • API String ID: 1897693299-2866581020
                                                        • Opcode ID: 46ab95af86813c3594728fc75c9eeea9a22ca9294d40838f3a9d812463df254c
                                                        • Instruction ID: dbf20a8101fcd711415cee43a02a57ba746871751ceaa83ca674feae75fdb0fc
                                                        • Opcode Fuzzy Hash: 46ab95af86813c3594728fc75c9eeea9a22ca9294d40838f3a9d812463df254c
                                                        • Instruction Fuzzy Hash: 3151B2B5608B809FC314DF69C49092BB7E6BBC9714F648A1DF6A983360C771E805CF62
                                                        Function 02C0A620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C0D8E0: RtlInitializeCriticalSection.NTDLL(02C665E4), ref: 02C0D8EC
                                                          • Part of subcall function 02C0D8E0: RtlEnterCriticalSection.NTDLL(02C665DC), ref: 02C0D8FC
                                                        • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000,?,?), ref: 02C0A6A4
                                                        • UnmapViewOfFile.KERNEL32(00000000,?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 02C0A6F2
                                                          • Part of subcall function 02BFFBE0: WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,?,00000000,?,00000001,00000001), ref: 02BFFC17
                                                          • Part of subcall function 02C006E0: CloseHandle.KERNEL32(?,?,00000000,?,?), ref: 02C006F8
                                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 02C0A751
                                                        Strings
                                                        • closing open memory map : %x, xrefs: 02C0A73F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: File$CloseCriticalHandleSectionView$EnterInitializeUnmapWrite
                                                        • String ID: closing open memory map : %x
                                                        • API String ID: 402462061-2655366834
                                                        • Opcode ID: d93558e45415214e1bbcf4a848a29d58a1e1b25cffbee7819e9b5e971a57a2d8
                                                        • Instruction ID: eca0e614151d596df35ad27503581c67649cc3621bf2e6469d8a3a5a2cba2e6d
                                                        • Opcode Fuzzy Hash: d93558e45415214e1bbcf4a848a29d58a1e1b25cffbee7819e9b5e971a57a2d8
                                                        • Instruction Fuzzy Hash: D9418C75644700ABD614EF28C894F6AB3A9FBC8B14F508A1CF65AA73C0C738E945CB91
                                                        Function 02C4A750 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxA.USER32(00000000,?,?,00000000), ref: 02C4A82C
                                                        • MessageBoxA.USER32(00000000,?,?,00000000), ref: 02C4A850
                                                        Strings
                                                        • Unrecoverable error, xrefs: 02C4A7C5
                                                        • Unrecoverable error at %s:%d, xrefs: 02C4A7B1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: Unrecoverable error$Unrecoverable error at %s:%d
                                                        • API String ID: 2030045667-2614997371
                                                        • Opcode ID: e530f50dbe6a11ee8b02dbde95ef4f4d9d24fb2681148c3c204d2415b92bd06b
                                                        • Instruction ID: 631f9f9b60791956628b2a9e9abd5844c9d896b36916d19d35a190d4d9aeedcd
                                                        • Opcode Fuzzy Hash: e530f50dbe6a11ee8b02dbde95ef4f4d9d24fb2681148c3c204d2415b92bd06b
                                                        • Instruction Fuzzy Hash: 4031B272544345AFD720DF54C891FABB7A9FF84718F000A1CF99A57280EB74AA05CBA2
                                                        Function 02C227C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyA.ADVAPI32(?,?,?,?), ref: 02C22819
                                                        • RegEnumKeyA.ADVAPI32(?,?,?,?), ref: 02C2284F
                                                        Strings
                                                        • *none*, xrefs: 02C22872
                                                        • RegEnumKeyA 0x%x %s index=0x%x -> 0x%x (%s), xrefs: 02C22898
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Enum
                                                        • String ID: *none*$RegEnumKeyA 0x%x %s index=0x%x -> 0x%x (%s)
                                                        • API String ID: 2928410991-3404819888
                                                        • Opcode ID: 186cf56ac2cdfd0f9c43c18d6b0b72d88666e9faf053d5b985e95fb227b64013
                                                        • Instruction ID: b434a6d10d2ee861bf98b8f0d354b85961fafb7887b4fca3aaa789ad4b163776
                                                        • Opcode Fuzzy Hash: 186cf56ac2cdfd0f9c43c18d6b0b72d88666e9faf053d5b985e95fb227b64013
                                                        • Instruction Fuzzy Hash: CB3118B6608350AFD214CB55DC84E6BBBE8EFC9758F044A1CF95993241DB30EA45CBB2
                                                        Function 02C05392 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 02C0543C
                                                        • SetEnvironmentVariableA.KERNEL32(TS_LEVEL,02C5A3CC), ref: 02C05463
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentHandleModuleVariable
                                                        • String ID: "%s" %s$TS_LEVEL
                                                        • API String ID: 3528341145-986097069
                                                        • Opcode ID: f5337b2bcc6383aff773926e2d08e41f3e9391aa0a01464d59f4d247c4508949
                                                        • Instruction ID: d6f346bb42612897d7db27a6d64de1048a2bbe1909b801f32185dadd88532c5a
                                                        • Opcode Fuzzy Hash: f5337b2bcc6383aff773926e2d08e41f3e9391aa0a01464d59f4d247c4508949
                                                        • Instruction Fuzzy Hash: F1313B74404340ABE720DF54C884BAB7BA8BF85798F84484CE8D9232C1C7B5D185CFA2
                                                        Function 02C214D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegCreateKeyW.ADVAPI32(?,?,?), ref: 02C21537
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateIncrementInterlocked
                                                        • String ID: ?$RegCreateKeyW$|sprof| RegCreateKeyW %s%d%d%d
                                                        • API String ID: 1897693299-1876887706
                                                        • Opcode ID: d8dade216532511c81cd83a45ddc92541e58f07758b5a874bf512edcfb825c8f
                                                        • Instruction ID: 5176ec4de4ff75d30c5e974e7062fe33bb54bad342e0931eae82f9a0d5f9e360
                                                        • Opcode Fuzzy Hash: d8dade216532511c81cd83a45ddc92541e58f07758b5a874bf512edcfb825c8f
                                                        • Instruction Fuzzy Hash: F73107B5609350AFC314DF94C480A2BFBE9BBC9754F444A6DF99A83340CBB4D948CB92
                                                        Function 02C477FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?,?), ref: 02C4786D
                                                          • Part of subcall function 02C478CF: GetDriveTypeA.KERNEL32(?,?,02C47815,?,?), ref: 02C478EE
                                                        • GetFullPathNameA.KERNEL32(?,00000104,?,00000100,?), ref: 02C47859
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectoryDriveFullNamePathType
                                                        • String ID: .$:
                                                        • API String ID: 3995704478-4202072812
                                                        • Opcode ID: 70a13f605875a10787821f1480aab2c3e085f8bbc8979bcb48d799139841bbc1
                                                        • Instruction ID: 93074301a902ceb9b8008a36df7420f8ec605a4e075bb0dc42849c7beaf96f02
                                                        • Opcode Fuzzy Hash: 70a13f605875a10787821f1480aab2c3e085f8bbc8979bcb48d799139841bbc1
                                                        • Instruction Fuzzy Hash: 4F21B471A04244ABEB10DF66D8C8BFBBBACEF40314F104859E945E6581DFB4D29CCBA5
                                                        Function 02C213F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegCreateKeyA.ADVAPI32(?,?,?), ref: 02C21453
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateIncrementInterlocked
                                                        • String ID: ?$RegCreateKeyA$|sprof| RegCreateKeyA %s%d%d%d
                                                        • API String ID: 1897693299-1182295946
                                                        • Opcode ID: c5e70bfa55cc1cec5d7bc27abb65dd9726dffc3f67df19f3364a0a8309034ab0
                                                        • Instruction ID: f2fe15e1eda7205c747638c057fe5eebfcbd37c1b024d7284f042414e650b988
                                                        • Opcode Fuzzy Hash: c5e70bfa55cc1cec5d7bc27abb65dd9726dffc3f67df19f3364a0a8309034ab0
                                                        • Instruction Fuzzy Hash: 5D2107B5518360AFC314DF18C480A5BBBF9EBC9B60F144A0EF99A93340C771D944CB92
                                                        Function 02C1C740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?), ref: 02C1C7A4
                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02C1C7AB
                                                        • MessageBoxA.USER32(00000000,?,?,00000000), ref: 02C1C7DF
                                                        Strings
                                                        • Virtual Script Size = %dVirtual Script Error at:%s%s, xrefs: 02C1C7C3
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Module$FileHandleMessageName
                                                        • String ID: Virtual Script Size = %dVirtual Script Error at:%s%s
                                                        • API String ID: 3068540201-530220104
                                                        • Opcode ID: 197baccd68ba746bad374aa0786e39d066248298f0f0d8db1ff10fcd79675b7d
                                                        • Instruction ID: 8d5c160434a56d122639a627eff0214c52fd7bed47fce2f4f6c5dfe3f9850c9a
                                                        • Opcode Fuzzy Hash: 197baccd68ba746bad374aa0786e39d066248298f0f0d8db1ff10fcd79675b7d
                                                        • Instruction Fuzzy Hash: 611142B5D40249ABDF04EBB4C995FEE7779AF18300F148988F90667280DBB4AB44DF61
                                                        Function 02C20630 Relevance: 6.1, APIs: 4, Instructions: 148registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C206E8
                                                        • GetLastError.KERNEL32 ref: 02C2078F
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 02C207A4
                                                        • SetLastError.KERNEL32(00000000), ref: 02C207B6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$ByteCharInfoMultiQueryWide
                                                        • String ID:
                                                        • API String ID: 3936028233-0
                                                        • Opcode ID: 716eb14f297e165ed32c4825ea65d2d4b12bfa8d0ee2b5e9380350b9fe117f58
                                                        • Instruction ID: 5616099a9e8d920355076f33b1c154efe549f1a6e6664089baa9b480ca227ced
                                                        • Opcode Fuzzy Hash: 716eb14f297e165ed32c4825ea65d2d4b12bfa8d0ee2b5e9380350b9fe117f58
                                                        • Instruction Fuzzy Hash: E551C5B2618750AFC204CB89C880E6BFBF9ABCD750F108A1DF69983250D775E805CB62
                                                        Function 02C43090 Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 02C43168
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: c9b912d4c9152e10f4bc2174211493d677a9066f7a11dbe18c06e351e0f0f5c5
                                                        • Instruction ID: 15f2255eb0b654b7886bfb35ba42d1e9768d49713e52828b07850b7f31093d22
                                                        • Opcode Fuzzy Hash: c9b912d4c9152e10f4bc2174211493d677a9066f7a11dbe18c06e351e0f0f5c5
                                                        • Instruction Fuzzy Hash: 63516271900298EFCB15CF69CC88BAABBB4FBC5354F348A99E9159B251DB30D644CF50
                                                        Function 02BFD320 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(00000000), ref: 02BFD42A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: *** failed$GetFileAttributesEx '%s' (internal) -> %x$GetFileAttributesExW '%s' -> %x %s
                                                        • API String ID: 1452528299-1516347340
                                                        • Opcode ID: ba6c16280f0f554fbe85adcd3476c3f7c88260e927ed13db6c4d7da27a60d476
                                                        • Instruction ID: a98a33c0f4f5e8fef68ccd0652b992903c6853c4906abc4bdd663066cb8ffb21
                                                        • Opcode Fuzzy Hash: ba6c16280f0f554fbe85adcd3476c3f7c88260e927ed13db6c4d7da27a60d476
                                                        • Instruction Fuzzy Hash: 8C519F746483419FD368DF14D844B6BB7E9EF88314F144A9DF98983391EB30E949CBA2
                                                        Function 02BE86F0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02BFBA80: WideCharToMultiByte.KERNEL32(02C66704,00000000,?,000000FF,00000000,00000005,00000000,00000000,02C197E2,?,00000104,00000001,?), ref: 02BFBB00
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?), ref: 02BE87E6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID: NULL$SearchPathW path='%ls' fname='%ls' ext='%ls' -> %d %ls$not found
                                                        • API String ID: 626452242-1193916209
                                                        • Opcode ID: 687e84d5c702d7d4ea3a80c0baeb44e4f3caa185831f2d626054cc07e0c6af74
                                                        • Instruction ID: 2b9024289318cffec15f8dfc78bccc5c7e278c4190d69159d2ee6664061c8dd3
                                                        • Opcode Fuzzy Hash: 687e84d5c702d7d4ea3a80c0baeb44e4f3caa185831f2d626054cc07e0c6af74
                                                        • Instruction Fuzzy Hash: 284154716047809FD774DB14C894FEB77E9EBC8714F040A5CE99A97390DB34A848CBA2
                                                        Function 02BFD700 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(00000000), ref: 02BFD7A6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: *** failed$GetFileAttributesEx '%s' (internal) -> %x$GetFileAttributesW '%s' -> %x %s
                                                        • API String ID: 1452528299-960381160
                                                        • Opcode ID: ad34e4152e8ada10006598baae56825be93b652e9c5e167e425df56fcee08e09
                                                        • Instruction ID: 46301b1ee1fcb0b44796e63161862e4b1bc797d6e246446fb4f2f4ce5dab3fda
                                                        • Opcode Fuzzy Hash: ad34e4152e8ada10006598baae56825be93b652e9c5e167e425df56fcee08e09
                                                        • Instruction Fuzzy Hash: 98312971944341ABD360EB28DC84BABB7D9DF95714F000A9DEA9543281DB35D94CCBA3
                                                        Function 02BFC210 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,?,02C66724,00000000), ref: 02BFC237
                                                        • GetModuleFileNameA.KERNEL32(02BFC8F2,?,00000104), ref: 02BFC255
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Module$FileHandleName
                                                        • String ID: %s.dll
                                                        • API String ID: 4146042529-3668843792
                                                        • Opcode ID: 6e52d0501c346e11d11065baf03ce720f38e50302a9eab0ade25b9d57dfa0737
                                                        • Instruction ID: f62e9f1f5c3777f805fa88a9cc44f0a705f24aa1c5fafe203fe2f7ae7c21a1a9
                                                        • Opcode Fuzzy Hash: 6e52d0501c346e11d11065baf03ce720f38e50302a9eab0ade25b9d57dfa0737
                                                        • Instruction Fuzzy Hash: AD81E9B1D0020D9FDF60DF54D880AFEBB79EF45354F18419ADA05A7281D731AA89CFA1
                                                        Function 02C3D6E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: DISPLAY
                                                        • API String ID: 0-865373369
                                                        • Opcode ID: aa7800b7bdcc94682108b2e7c6f0df7e4246c2e5e3ffe936f55778ac53a21bb2
                                                        • Instruction ID: 20964f4f71c76736308c36eb545e3a2feadb40b6a510f6c7e975150d0beced82
                                                        • Opcode Fuzzy Hash: aa7800b7bdcc94682108b2e7c6f0df7e4246c2e5e3ffe936f55778ac53a21bb2
                                                        • Instruction Fuzzy Hash: DC412671B403046BE724AA259C45F7B76DEEFC4B14F14492CFE0297380DA74E919CAE2
                                                        Function 02C210D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 02C21175
                                                        Strings
                                                        • RegCreateKeyExA, xrefs: 02C211B3
                                                        • |sprof| RegCreateKeyExA %s%d%d%d, xrefs: 02C210EB
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CreateIncrementInterlocked
                                                        • String ID: RegCreateKeyExA$|sprof| RegCreateKeyExA %s%d%d%d
                                                        • API String ID: 1897693299-4132352924
                                                        • Opcode ID: 516a849f535bb0f914e50e6602b24639cfa34a1657c482c51dc5e952efa4e010
                                                        • Instruction ID: cbf24b29c88fa88d6a83a65d8b1aeeefec4627a9f233c2269b92369d69bdf848
                                                        • Opcode Fuzzy Hash: 516a849f535bb0f914e50e6602b24639cfa34a1657c482c51dc5e952efa4e010
                                                        • Instruction Fuzzy Hash: F24192B5208350AFD314CF99C880A2BF7E6BBC9750F148A1CF99987390D774E905CBA2
                                                        Function 02C216E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • RegOpenKeyExW.ADVAPI32(?,?,?,?,?,|sprof| RegOpenKeyExW %s%d%d%d,00000000), ref: 02C21756
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: IncrementInterlockedOpen
                                                        • String ID: RegOpenKeyExW$|sprof| RegOpenKeyExW %s%d%d%d
                                                        • API String ID: 4028825625-1623098989
                                                        • Opcode ID: af3b32a0314473b07f5ff8025820bee34562051a68e68ad3c3b1035ebb944837
                                                        • Instruction ID: f73e95d5673ac7e41217d140abfbeab39f70c4de0a6f616dba967569981d7428
                                                        • Opcode Fuzzy Hash: af3b32a0314473b07f5ff8025820bee34562051a68e68ad3c3b1035ebb944837
                                                        • Instruction Fuzzy Hash: E831E4B52083809FC314DF99C480A5BFBE5BBC9754F508A2DF5AA83350C774D949CB92
                                                        Function 02BEB1D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCommandLineA.KERNEL32(?,00000000,02C4B458,000000FF,02BEB2D7,00000000,02C07ACB), ref: 02BEB207
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: CommandLine
                                                        • String ID: "%s"%s$GetCommandLineA/W -> '%s'
                                                        • API String ID: 3253501508-905467803
                                                        • Opcode ID: 8fe98405a6b3b639387b91040f07aa10024bd25f7dbedba0a9d10a3e4690e710
                                                        • Instruction ID: a62223b1bc7467fe725945342cb4f831de038421f513ef5c9a295c4249455440
                                                        • Opcode Fuzzy Hash: 8fe98405a6b3b639387b91040f07aa10024bd25f7dbedba0a9d10a3e4690e710
                                                        • Instruction Fuzzy Hash: 8121E2309046429FDB11CB18C875BAB7BD9FF4630CF648A98E8D787252DB35C404C791
                                                        Function 02BFC790 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 02C136D0: InterlockedIncrement.KERNEL32(02C5EC08), ref: 02C136ED
                                                        • VirtualQuery.KERNEL32(00000000,?,0000001C,|sprof| patch_scan_virtual_query %s%d%d%d,00000000,?,?,?,00000000), ref: 02BFC7E2
                                                        • GetModuleFileNameA.KERNEL32(?,?,00000104,?,00000000), ref: 02BFC7FE
                                                        Strings
                                                        • |sprof| patch_scan_virtual_query %s%d%d%d, xrefs: 02BFC7B6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileIncrementInterlockedModuleNameQueryVirtual
                                                        • String ID: |sprof| patch_scan_virtual_query %s%d%d%d
                                                        • API String ID: 2601207475-2238009753
                                                        • Opcode ID: 9dff11bf587b491ab44bfc992a4c16d575858fc1deb613f7786ffdc352f3acaf
                                                        • Instruction ID: df62009ccbe5b74cdc9b9d54c37d5513d38d3f90605485b12ceef43309f82f8a
                                                        • Opcode Fuzzy Hash: 9dff11bf587b491ab44bfc992a4c16d575858fc1deb613f7786ffdc352f3acaf
                                                        • Instruction Fuzzy Hash: 56219FB25043459FD320DF54D881B9BBBE9FBC4B20F400A2DF59693290DB74A64DCBA2
                                                        Function 02C1F4C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyA.ADVAPI32(?,?,?), ref: 02C1F4FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID: ?$RegOpenKeyA
                                                        • API String ID: 71445658-2224417602
                                                        • Opcode ID: 3d05b3b191610be492abf60514537d0d00eb88f688b4b48791cf229d18be4c44
                                                        • Instruction ID: e55671bd69d3051696d3ec077b200f6b44a88b0204be2f8ba6e8b270b75d891d
                                                        • Opcode Fuzzy Hash: 3d05b3b191610be492abf60514537d0d00eb88f688b4b48791cf229d18be4c44
                                                        • Instruction Fuzzy Hash: C911E5B5A09300AFC348DF24C99592BBBE5BBC8704F948E1DF48A83340E734D955CB92
                                                        Function 02BE10D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 02BE10EE
                                                        • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 02BE10FF
                                                        Strings
                                                        • Microsoft.net\Framework, xrefs: 02BE1109
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: FileModuleNameQueryVirtual
                                                        • String ID: Microsoft.net\Framework
                                                        • API String ID: 2827130835-324084749
                                                        • Opcode ID: 5ad85d28ce623350d15ee6c19d06167b640916baa5c40272ce776dc77651f4ed
                                                        • Instruction ID: 5c27dc7f6c006c89a8e1ddbf977a8ddabb50e2c996f93b35f98475077e4a7b1e
                                                        • Opcode Fuzzy Hash: 5ad85d28ce623350d15ee6c19d06167b640916baa5c40272ce776dc77651f4ed
                                                        • Instruction Fuzzy Hash: ACF0C8725103026BDE10E679DC41EAB73DDDFC8748F044A58B549E3144EB74E984CBA2
                                                        Function 02C0E240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: __ftol
                                                        • String ID: .
                                                        • API String ID: 495808979-248832578
                                                        • Opcode ID: 74790ae991e5891210889d145772bc559b0d6f88e686d66b6ee1c8da57925072
                                                        • Instruction ID: 822041aed4b69a438eb3b6496b308b5e058dd5f10b31824441f85bea21145d5d
                                                        • Opcode Fuzzy Hash: 74790ae991e5891210889d145772bc559b0d6f88e686d66b6ee1c8da57925072
                                                        • Instruction Fuzzy Hash: 67F0E2716483107FE2106B548C4AF6FBB99DF92B10F11C54CF68AA61C1CB788550CFA7
                                                        Function 02C37682 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(wsock32.dll), ref: 02C376A7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: c:\tmp\remote_loadd.dll$wsock32.dll
                                                        • API String ID: 1029625771-907105155
                                                        • Opcode ID: ef71d979a778e9e0ebe0abe485086f7702a1a9c525144e48b1a07ade8b30ac59
                                                        • Instruction ID: 30d1b3b36e6e6aaf4408aeb21c6d3478ff695d57d3eb929b71e32bb9905388ba
                                                        • Opcode Fuzzy Hash: ef71d979a778e9e0ebe0abe485086f7702a1a9c525144e48b1a07ade8b30ac59
                                                        • Instruction Fuzzy Hash: 99E026B09002481FF7117B79AC1EB7AB3BC6F45318F481A20A52BE70A0DB64C1988516
                                                        Function 02BE1080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxA.USER32(00000000,?,02C66218,00000000), ref: 02BE10AC
                                                        • ExitProcess.KERNEL32 ref: 02BE10BD
                                                        Strings
                                                        • Executable '%s' had the following unrecoverable error:%s, xrefs: 02BE1090
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1404782277.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_2be0000_CEFA-FAS_LicThsUtils.jbxd
                                                        Similarity
                                                        • API ID: ExitMessageProcess
                                                        • String ID: Executable '%s' had the following unrecoverable error:%s
                                                        • API String ID: 1220098344-947399703
                                                        • Opcode ID: 9df4ffa0d43cf9bf9a50001755b44dd55b1c845228480f8b0b77739b0f988b4d
                                                        • Instruction ID: 5b7ec0b0fc280ed6ea4bf9c3ffe7d01d96505996afb37b8a283dfb69ceb4c60e
                                                        • Opcode Fuzzy Hash: 9df4ffa0d43cf9bf9a50001755b44dd55b1c845228480f8b0b77739b0f988b4d
                                                        • Instruction Fuzzy Hash: D0E0BF75A84301BFE304EB50DC96F7A736DEB84B01F108F48F91656190DAB4B851DB65